Deciding whether to choose OAuth or an API Key can be difficult. You should choose whichever use case suits your situation the best. Potential use cases and the benefits and drawbacks of each method are detailed in the table below.
OAuth vs API Keys |
OAuth |
API Key |
API Key + Password |
Use Case |
Use OAuth for applications that will be used by other users who do not trust your application with their credentials. Using an API Key gives a low layer of indirection between personal data and the API Key user. Using OAuth reduces the risk of security breach by offering short-lived tokens in place of an API Key. |
Suitable for use in automated processes, like granting access to an algorithmic trading strategy. Use API Keys only for trusted sources, such as your own private application. |
You will want an API Key and dedicated password when using codebases that you do not trust, e.g. not your own code (imagine a trading bot you got source code for from github). In this case, using a dedicated password will obscure your master credentials ensuring that malicious third parties cannot steal your real login information. |
Benefits |
Superior security scheme when compared to API Keys. Best for use with large numbers of unknown users. Without OAuth you’d have to treat each user as a developer, registering their own API Key. |
Ease of use. An API Key is easy to set up and include in the Authorization Bearer scheme. |
Just as easy to setup and use as a regular API Key. |
Drawbacks |
More developer responsibility. You’ll need to set up a service to catch the OAuth redirect and then exchange your grant code for an access token. |
Secrets can be stolen or compromised. There is no guarantee a client will responsibly store their key. If you grant a key to a public facing application, you should ensure you select only permissions that suit your application’s needs. You should only give access tokens to parties you trust. |
Although mitigated, similar risks are associated with API Keys with dedicated passwords. However the dedicated password at least obscures your master password when third party software is involved. |