FAQ

What are some best practices and recommendations on how to store and protect API keys?

Store API keys / secrets safely

• Do not embedAPIkeys/secretsdirectlyin code.
• Do not storeAPIkeys/secretsinfiles inside your application, include the application’s source tree
• If you do accidentally commit anAPIkey/secretstoversion control, revoke it immediately and generate a new one.
• EnsureAPIkeys/secretsnotappear in URLsoranywherecanbe captured in web server logs.
• Review your code carefully and ensure it doesn’t containAPIkeys/secretsorany other private information before publicly releasing it.
• Put the configuration file containing theAPIkeys/secretsinthe revision control ignore. This prevents committing them by mistake in the future.

Limit the usage of API keys / secrets

• Restrict yourAPIkeys/secretstobe used by only the IP addresses, referrer URLs, and mobile apps that need them.
• Don't share yourAPIkeys/secretswithdifferent applications. If more than one application uses the same API, register each application to get a new set ofAPIkeys/ secrets.

Update API keys / secrets

• Delete unneededAPIkeys/ secrets.
• Update (Regenerate) yourAPIkeys/secretsperiodically.

References

1. Best practices for securely using API keys: https://support.google.com/cloud/answer/6310037?hl=en
2. REST Security Cheat Sheet - OWASP: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

How can I view what data is returned by an API? How can I test an API using my web browser?

In order to view the data provided by an API or test it using this developer portal, follow the steps below.

Get the Consumer Key and Secret

1. Browse the documentation of the available APIs to help you select one
2. Register your application
3. Depending on the API you request access to, the approval may take a couple of days or be automatic
4. Go to My Apps and select the application you just registered. Select Generate/Re-generate button
5. Copy the "Consumer Key" and "Consumer Secret" for use in the section below (as client id and client secret respectively)

Make the API call

1. Use the client id (consumer key) and client key (consumer secret) from the steps above to get an access token.
   1. Select the API corresponding to the product that you registered in the previous section
   2. Click on the "getAccesToken" method 
   3. Enter "client_credentials" under grant type
   4. Enter the client id (consumer key) and client key (consumer secret) from your registered application
   5. Click on the "Send this request" button
   6. View the response and save the "access_token" value
2. Use the access token to make API calls
   1. Select the API corresponding to the product that you used to get the access token in the previous section
   2. Click on any method except for "getAccessToken"
   3. Enter "Bearer XXXX" under the Authorization header, where XXX is the access token
   4. Enter any required query parameters or url parameters
   5. Click on the "Send this request" button

Who can access the APIs? Can people not affiliated to UCSD access the APIs?

The APIs are available to UCSD developers (staff, student and faculty) who have an Single Sign-on account. At this point, the APIs are not open to developers outside of UCSD. Some APIs have more restrictions or require approvals, which limit the access to them. These restrictions can be found within the documentation of each API.

In order to access data you need an API key. To get an API key, you need to register an application or app. Only UCSD developers with an SSO account can register an application / app. The steps below, walk you through how to register an app:

1. Login via Business System Login
2. Go to the "My Apps" page. The link can be found on the navigation menu at the top of the pages or by going directly to: apps
3. Click on "Add a new App"
4. Enter the information requested
5. Select API product that you need

I want to access data provided by an API. How do I make a call to the API to get the data?

In order to access the data provided by an API, follow the steps below.

Get the Consumer Key and Secret

1. Create your application or use the default application - https://api-qa.ucsd.edu/store/site/pages/applications.jag
2. Go to DEV/QA/PROD section and copy the "Consumer Key" and "Consumer Secret" for use in the section below (as client id and client secret respectively)
3. Browse the documentation of the available APIs ( https://api[-qa].ucsd.edu/store/ ) and subscribe to the one you are interested in
4. Depending on the API you request access to, the approval may take a couple of days or be automatic
   
   

Make the API call

1. HTTP request to get an access token:
   

   curl -X POST --header "Content-Type: application/x-www-form-urlencoded;charset=utf-8" -d "grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET" "https://api[-qa].ucsd.edu/<API-ENDPOINT>/token"
   

HTTP to make a request to the API using the access token:

curl -X GET --header "Content-Type: application/x-www-form-urlencoded;charset=utf-8" --header "Authorization: Bearer ACCESS_TOKEN" "https://api[-qa].ucsd.edu/<API-ENDPOINT>"

How do I setup a non-UCSD person to access UCSD published APIs?

The API manager uses UCSD business system to authenticate user for self-service portal and to provide access keys. 

 In order to provide access to someone without access to UCSD business system, one of the UCSD employees will have to act as a proxy to generate key and secret on their behalf.