Is there a way to securely store and retrieve an API key in windows?
For instance, is there a windows service/api that can be used by a (c#) desktop app to store and retrieve a key?
CodePudding user response:
If you place your API in your application it can be found by anyone that has the time to reverse engineer your product.
If it's extremely important for the key not to be used by others I would suggest making an online service and simply using your Windows Store app to communicate with the server to get the results. In other words, only your online service will know the API key that way.
If that isn't possible then you just need to face the fact that your key will be found at some point if your application is known enough and is worth "cracking". To make it a bit harder I would suggest avoiding C# since it is extremely easy to reverse engineer .NET applications, even if they have been obfuscated. Which means if the first method isn't an option for you, go for C and make sure your key is encrypted.
CodePudding user response:
If the key has to be placed on a client machine, it can be read out. Which language you use or what kind of storage doesn't matter. At the end you'll have to send that API key to your server to authenticate yourself and at this point someone can use a proxy like Fiddler to inspect the data and record that API key.
To accomplish this issue you need a (web) interface for your customers, where they can log-in and manage their API keys, so they can request new or revoke old keys. Also your desktop tool needs in that case some input mask, where the user can enter that key (and you store it in registry or file system).
By using this approach each customer can use its own key and if it is compromised you (or the customer) have only to revoke this single key without affecting the other customers.