Im with when it comes to security of api-keys, with one difference. They can be secure (or at least as secure as things can be ;) ) as long as they are bound to the session/client who created them, which would result in a broken key if someone would try to reuse the same key on another device/session.
I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
Sessions can be reused by an attacker, but definitely it makes up for one more security layer to be bypassed, and I always recommend to use it when possible.
Other techniques exist to make them more difficult to abuse, but an API key on their own, can only be considered secure for authentication purposes when the communication is between 2 servers, and they are stored in both servers in a secure way.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Im with when it comes to security of api-keys, with one difference. They can be secure (or at least as secure as things can be ;) ) as long as they are bound to the session/client who created them, which would result in a broken key if someone would try to reuse the same key on another device/session.
Sessions can be reused by an attacker, but definitely it makes up for one more security layer to be bypassed, and I always recommend to use it when possible.
Other techniques exist to make them more difficult to abuse, but an API key on their own, can only be considered secure for authentication purposes when the communication is between 2 servers, and they are stored in both servers in a secure way.