I'm interested in creating API keys for web.api and allowing clients to communicate with API using the API keys rather than authorization web.api provides.
I want multiple clients to be able to communicate with the web.api. instead of creating username and password, can I use an api key, and allow clients to communicate with client.
Is there such built-in functionality?
if one wants to implement it, how would you go around it?
See Question&Answers more detail:os
You are able to achieve by using HMAC Authentication. Basically, there might be a database table called ApiKey (apiKey, secretKey). Each client has each Apikey and secret Key:
ApiKey is like a public key and will be sent over HTTP (similar with username).
Secret Key is not sent over HTTP, use this secret key to do hmac some information and send hashed output to the server. From server side, based on the public key, you can get the relevent secret key and hash information to compare with hash output.
I have posted the detailed answer at: How to secure an ASP.NET Web API
You can change Username by ApiKey and Hashed Password by secret key on my answer to map with your idea.
