Hi all
I’ve a lot of API used to distribute data by GET request; I’d like to create a free GET API without api_key. Is there a way?
I tried using “Guest Access” but It provide an access to specific API services without requiring authentication (token) but requiring “api_key”. Is there a way to release a free API?
Thank you.
Hi @vlauciani,
While you do not need to always supply a JWT or Session Token with any API requests, you must supply an API Key with every call. As you have seen the “Guest Access” page already, I wanted to just follow that up with this snippet:
Applications can be given “guest” access by assigning a default role to an application, detailing what resources should be accessible without user authentication. This is useful, if your application has an open “website” or kiosk mode.
This would enable you to basically open the endpoints you wanted, while maintaining the architectural restriction of always passing an API key. This restriction is purposeful to allow you, as the administrator, to have full control of the access of the data. If you set up Guest Access and just put the API key in a config file or .env file and then called it as needed in your app, akin to something like this in a React app I am building:
If that app had no restrictions on it, I can make that GET call from anywhere, as long as the role assigned to that API key allows for unlimited traffic.
That is as close as DF comes to having a “wide open” data source.
https://wiki.dreamfactory.com/DreamFactory/Features/Auth#Authorization
Thank you for your answer.
I understand your point of view, but with this approach each public user that use my public API should have an “api_key”!!!
My API returns, for example, a JSON with temperature for each place; this API is public and everyone can retrieve data. I’ve more than 2000 requests per day by more or less 200 single users; should I produce 200 “api_key” for each user? Every new user should request me a new “api_key”?
The idea is to open to the public access (without “token” and/or “api_key”) a few set of API with only limit access.
Valentino
That is why you set the API key as a server system variable. No one can access it you do that as you would call it as a variable in any outward facing application.
You would only create 1 key that would serve as the access point for the data containing the information you wish to expose. I am guessing right now you have an application, that people can interact with, and when they hit submit, it returns the JSON data, similar to this from Open Weather:
The API key (which I have obfuscated here) could have a role assigned to it to only access the GET verb. You could use multiple keys if you wanted to try and track which endpoints had been hit and by whom, but for simplicity’s sake, you can just create one, set it as a server side variable, call it in your application when someone makes a request for the data and you would be all set.
Hi
If I understand correctly, the idea is to create the “Server_A” front-end where user send GET request (for example: http://server_a/api/v2/weather?zip=94040), then “Server_A” adds params “api_key=<api_for_get>” to the request and forward it to “Server_B” where Dreamfactory is installed. “Server_B” validate the “api_key” and return the “service”.
Is it correct?
any news?
what is the best practice to disable the use of “api_key” for public API?
I haven’t implemented it yet, but dynamically providing the API key is the solution I was planning to try. You could probably do it more easily with mod_rewrite than another server and then you could conditionally keep the API key, for example, you have an app that usually requires no authentication but there are privileged resources on the same URL. If an API key and JWT exists, pass it through, otherwise apply a base key.
I had expected this to be a big issue, but ultimately even for a government using the APIs heavily for public facing stuff we haven’t had a usecase where we need an endpoint with no API key - the developers always need assistance so giving them the key isn’t a problem, or it can be provided in publicly available docs.
Thanks,
Josiah