2.5 Key-Based Authentication
Free APIs are nice, but you usually get what you pay for. If you want access to better datasets and functionality, it will not likely be something made freely available to the public. But there are many ways to access secure web services that require authentication.
To follow along, start by getting a key from data.gov signup. We will use the US Department of Commerce as an example below: commerce.gov developer-resources.
Querystring/Parameter Keys
The simplest form of authentication involves placing some type of key or token in the querystring as a Data sent to a URL in the querystring in a dictionary (?key=value) format. . This is what we do for the rest of the web services available via data.gov. Once you have your free key issue from the link above, copy your key into the code below:
import requests
import json
key = '****************************************' # Paste your key over these stars; keep the quotes
url = "https://api.commerce.gov/api/news?api_key=" + key # the parameter is '?api_key=**************'
request = requests.get(url)
json_data = json.loads(request.text)
clean_data = json.dumps(json_data, indent=2)
print(f"Number of articles: {len(json_data['data'])}")
print(clean_data)
# Output
# Number of articles: 50
# {
# "jsonapi": {
# "version": "1.0",
# "meta": {
# "links": {
# "self": {
# "href": "http://jsonapi.org/format/1.0/"
# }
# }
# },
# "parsed": true
# },
# "data": [
# {
# "type": "news",
# "id": "48",
# "self": "https://www.commerce.gov/news/press-releases/2017/10/former-secretary-commerce-pritzkers-official-portrait-unveiled",
# "nid": 48,
# "label": "Former Secretary of Commerce Pritzker\u2019s Official Portrait Unveiled",
# "created": 1508360246,
# "updated": 1513969347,
# "href": "https://www.commerce.gov/news/press-releases/2017/10/former-secretary-commerce-pritzkers-official-portrait-unveiled",
# "body": "<p>Today, U.S. Secretary of Commerce Wilbur Ross attended the unveiling of former U.S. Secretary of Commerce...",
# "publication": null,
# "post_date_formatted": null,
# "release_status": "FOR IMMEDIATE RELEASE",
# "subtitle": null,
# "orgs": null,
# "categories": null,
# "admin_officials": [
# {
# "id": "9",
# "label": "Wilbur Ross",
# "href": "https://www.commerce.gov/about/leadership/wilbur-ross"
# }
# ],
# "documents": null,
# "image": null,
# "video": null,
# "news_type": [
# {
# "id": "61",
# "label": "Press releases",
# "href": "https://www.commerce.gov/news/press-releases"
# }
# ],
As you can see, this endpoint simply returns recent news press releases by www.commerce.gov. However, you can browse the API documentation to find many other useful endpoints that require a key parameter.
What is the implication of placing the key in the querystring parameter? Well, by placing it in the querystring, it is visible to any network listeners if the secure sockets layer (SSL) is not being used. A hacker could simply copy the API key and use it all they want. If you have to pay for an API key per use, then you are going to get a large bill. However, web service providers know this and will always use SSL (thus, requiring https in the URL as opposed to http), which means that the key will be encrypted. Hackers can still listen to network traffic and capture the URL, but they would have to crack the encryption to see the key.