Is OAuth more secure compared to API Keys

  • I have worked on many API integrations scenarios, and I used 2 approaches to authenticate the API calls, as follow:-

    1. Using API Keys

    For example inside hubspot integration i use this web call to get all the accounts using API Key:-**********&properties=website&properties=mse_scan&properties=phone&limit=100
    1. Using OAuth.

    For example inside SharePoint >> I create an app which generate a ClientID & ClientSecret, then inside my project web.config i pass/define the clientID & CleintSecret

     <appSettings file="custom.config">
        <add key="ClientId" value="e****7" />
        <add key="ClientSecret" value="**=" />

    now in both cases we have confidential info been passed/stored, either APIKey or ClientID and ClientSecret. so can i say that from a security point of view I can not say that oAuth is more secure compared to using APIKeys? as if someone (let assume a hacker) get the APIKey then he can integrate with the our application + if a user got the ClientID and ClientSecret then he can integrate with the application as well..

  • OAuth services like Google or FB, or self made OAuth services based e.g. on Keycloak provide very often following features:

    1. Possibility for the users to reset their passwords, where as it is hard or impossible to reissue an API key.
    2. Password reset can be done quickly, where as re-issuing f an API key may take days or weeks, depending you capacity of your customer support team.
    3. Passwords are stored in a hashed form. If password database stolen, it will not reveal passwords and will not help attacker. Where as when the database with API keys is stolen, the attacker can use all API keys.
    4. If the database with API keys is stolen and user accounts abused, it will be very hard to know where the problem is. You will suppose users didn't care about keeping their passwords safe. Users will suppose you have security problems on your side.
    5. The OAuth service can provide 2FA, where as with API key there is single authentication factor only.
    6. In case your application logs requests, also API keys can be logged. Via logs and their backups more people can know the API keys on your side. You need extra efforts to make sure that API key is not written to the log. Where as in case of OAuth your application only obtains a token containing user ID. Thus it is safe to write the whole request to the log.


    All these advantages will be really advantages, if you use some quality OAuth service. If you use the strange approach that you described, with passwords hardcoded in config files, there will be no big difference between two approaches.

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2