Securing Your Serverless API With API Keys

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you know how to create an API using serverless but now you want to secure that API so you can control who accesses it in this video that is exactly what I'm going to show you how to do hi guys I'm Sam with complete coding and in this video I'm going to show you how you can add some configuration to your service project so that you can add API keys to your endpoints API keys are great because it means that you can securely allow certain people to access your API without giving access to everybody and making it completely public this can be great for if you want just your front-end application to be able to access the backend API is that you've created it could be that you have API as a service where you allow free users to sign up and get restricted access to your API or paid users to pay you for the service and then they get better access to those api's to add api keys to this project there are a couple of different ways we can do that I'm going to start with the most basic set up and then show you some more advanced ways of configuring it which gives us more control over exactly how the API Keys are used to add an API key in the most basic form we need to go to our provider object and after our I am raw statements we need to add a new new field called API keys this is an array and we need to give a value of our API key this is just a reference so that we can easily access them so we're gonna go with my first API key and save this file this will then generate a que which will be output when we deploy our service project as we scroll down we can then see that there are our functions these functions automatically work without having to pass in an API key at the moment if we want to add the security of an API key to each of these functions we need to add another parameter onto the HTTP options this is a private option set to be true if we save this now this means that the get user endpoint will return for all return an unauthorized response if we do not pass up an API key so now in our terminal we can run SLS deploy and this is going to deploy our new API with the API key required for the get user endpoint so now that service has finished deploying we can scroll up in the outputs to just above endpoints and we can see that we have an API key of my first API key which points at this string value here which we are going to copy for now we're going to go over to our postman instance and we have the request that normally would return our user if we now make this request we get a 403 response with a message of forbidden that's because we've not passed up an API key in postman to do that we can click on authorization change the option to be API key set the key to be X API key and then paste our value in here this is going to attach the X API key header with value of our key so now when we make the request we still get the response this now means that without having this API key you can't make a request to this endpoint so if we now head back into our service file I will talk over how we can get more control over our api's the first thing that we can do is we can add a usage plan a usage plan is great for if you want to give this to other parties or other people this means that they have access to your API but you don't want them hitting it too much because it costs you money to run this API so you don't want to unexpectedly get a very large bill to add a usage plan we can say usage plan and in here we have some parameters the first is a quota which is how many times can this API be hit with this API key every month so we set a limit and for this one I'm going to say that it can get hit 1,000 times a month we also need to set that pick the period so period set that to month and that is the quota defined you can deploy this as is and after a thousand API key hits with that API key it will stop allowing you to make any more requests there is also throttling so throttling doesn't limit how many requests but how many requests per second this is useful because lots of bots often use lots of very fast requests so this is a way of stopping your API from being ddosed so throttle and this has two options a rate limit and this rate limit is how many times per second your API can get hit so I'm going to set that to five as well as that there is also a burst limit this burst limit differs from the rate limit because it is for a short period of time so what you can say is you can say on average I can only be hit five times a second but in a short burst someone can hit this API 20 times in a second but then it automatically drops back down to being five after that this is useful if you have something that starts up and has to make a couple of requests so that it doesn't break but generally five a second is your limit so now if we saved and deployed this it would deploy our API key again with all of these controls what we're gonna do is we're going to take it one step further if you want to have different levels of usage plan you can define that in here this is good if you have say a premium service and a free version you could set up an API so that that when users register they get a free API key which has a limit of a hundred requests a month and then if they pay for your service they got limited upgraded to a premium API key and that means that they now get a thousand requests a month or unlimited requests so to do that we need to make a small change to this file under API keys we need to setup our groups the first group that we need to set up is going to be our free API key this is an option and then underneath this we need to update our API keys for here unfortunately we can't use the same API key that we used first time round so we need to create a new API key called my free API key as well as that we also have the paid option so the paid option we're gonna have an API key called my paid API key so now these have been set up we need to say what level of usage plan each of these groups has to do that under usage plans we can create an option for free and what we're going to do is we're going to tab this in so the free option has these provisioned usage plans and what we're gonna do is we're now going to create a paid usage plan so in here we can have a paid usage plan and we're going to change some things around this so we're still going to have a quota and that is going to have a limit this time of 10,000 and again that is going to be per month so period of months if you wanted your paid service could actually have unlimited and the way you do that is by not including the quota object inside your usage plan as well as that we have the throttling so with our throttling we have to set the rate limits and the burst limit as we've got a quota limit of ten times as much I'm going to set the rate limits also to be twice ten times as much so that'll be 52nd and a burst limit of 200 per second so now this has been set up we'll get two separate API keys which have two separate usage plans now that we've set up all of our usage plans we can save this file go into our terminal and add SLS deploy which will deploy our service package with these new free and paid api keys this obviously takes a little while because it's service so now would be a brilliant time to hit that like button it helps the YouTube algorithm figure out that this video is helpful to you and that means it shows two more people just like you who want to learn about service now that that has finished deploying we can scroll up and see that we have two API keys a free and a paid API key unfortunately it is quite hard to test the limits of these api's as we'd have to make 1,000 requests before we stopped being able to make a request with the free service but that is how you would set it up and deploy it so these API keys would be given to free users and this API key would be given to a user who had paid every new user should get a new API key so you do that by adding user to paid key and adding a new API key in here for each user that buys your service or for each user that uses the free version of your service in this video we have learned how we can create API keys for our service and we started by creating a simple API key which just allowed access to the api's that were protected we then took such a step forward and introduced usage policies where we could define the API keys having certain amounts of access to our API we took this finally one step further where we created two different tiers of API key a free API key which had a restricted access and then a paid API key which in our case had access to do more requests but you could configure this however you like thank you for watching this video I really hope that it's been helpful for you if you want to find out about more videos like this then check out the playlist down here or subscribe to my channel where you'll get notified every time I release a new service video thank you and I'll see you again next time

Info

Channel: Complete Coding

Views: 4,511

Rating: undefined out of 5

Keywords:

Id: n5aSq1L5nIw

Channel Id: undefined

Length: 14min 21sec (861 seconds)

Published: Sun Dec 08 2019