Is getting the API key in the query string secure?

I am making an API and want other users to be able access it. My implementation is to get the API key and API "password" from the query string and use them to identify if the user is a valid user of our site.

domain.com/api/?api_key=theapikey&api_password=thepasswordhere

I am not familiar with security but is this a secure way to do it? Or is there more secure ways for do开发者_开发百科ing this?

I recommend passing it in the header. You would need something like curl or postman to call it, which is appropriate for most API keys that are designed for application integration.

If you are looking to have users view it in the browser, you'll need some login screen. This can be saved as a cookie so future requests don't always force a login.

It's not secure no, there are more secure ways yes, look into OAuth. You'll probably be able to find some helper libraries in your language of choice.

a) You should use POST instead of GET whereas GET is the method you are currently describing ( when the data is in the address field. You get POST values by selecting POST method from your web application's forms IE:

<FORM action="http://domain.com/api" method="post">

b) That is somewhat more secure, but more security is perceived by using the https tunnel, you get that by installing a validated security key onto you'r web server, and using https instead of http.

Example for apache: http://www.digicert.com/ssl-certificate-installation-apache.htm

Hope I helped out :)