How to Secure REST APIs Using API Keys and Rate Limiting?

Riya Patel
1d
217
0
0

Article

Introduction

When you build a REST API, making it functional is only half the job. The real challenge begins when your API is exposed to the internet. Without proper security, anyone can access your endpoints, misuse your resources, or even bring your system down with excessive requests.

This is why securing APIs is critical in real-world applications. Two of the most commonly used and practical techniques are API Keys and Rate Limiting.

In this article, we’ll understand how these techniques work, why they matter, and how to implement them properly in backend applications.

Understanding the Problem: Why API Security Matters

Imagine you’ve built an API for a weather service or an e-commerce platform.

If your API is open:

Anyone can send unlimited requests
Bots can spam your endpoints
Attackers can overload your server

This leads to:

Increased server cost
Poor performance for real users
Possible downtime

To prevent this, we need controlled access and usage limits.

What are API Keys?

API Keys are unique identifiers assigned to clients (users, apps, or services) that want to access your API.

Think of an API key like a password for your API.

When a client makes a request, they include the API key, and your server verifies it before processing the request.

How API Keys Work in Practice

You generate a unique key for each user or application
The client sends the key with every request
Your server validates the key
If valid → request is processed
If invalid → request is rejected

Example: API Key Middleware in Node.js (Express)

const validApiKeys = ["12345", "67890"];

const apiKeyMiddleware = (req, res, next) => {
  const apiKey = req.headers['x-api-key'];

  if (!apiKey || !validApiKeys.includes(apiKey)) {
    return res.status(403).json({ message: "Forbidden: Invalid API Key" });
  }

  next();
};

app.use('/api', apiKeyMiddleware);

In real applications:

API keys are stored in a database
They are linked to specific users or apps

Real-World Use Case for API Keys

Public APIs (Google Maps, payment gateways)
SaaS platforms
Third-party integrations

Each client gets a unique key, allowing you to track and control usage.

Limitations of API Keys

API keys alone are not enough for full security:

They can be leaked if exposed in frontend code
No built-in expiration
No user-level authentication

That’s why they are often combined with other techniques.

What is Rate Limiting?

Rate limiting controls how many requests a client can make in a given time period.

For example:

100 requests per minute
1000 requests per day

If the limit is exceeded, the API blocks further requests temporarily.

Why Rate Limiting is Important

Rate limiting protects your API from:

Abuse (spam requests)
DDoS attacks
Resource exhaustion

It ensures fair usage among all users.

Example: Rate Limiting in Express

Using express-rate-limit:

import rateLimit from 'express-rate-limit';

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per window
  message: "Too many requests, please try again later",
});

app.use(limiter);

What this does:

Tracks requests per IP
Blocks requests after limit is reached

Combining API Keys with Rate Limiting

In real-world systems, both techniques are used together.

Flow:

Validate API key
Apply rate limit based on key or IP
Process request

This gives you:

Access control (API key)
Usage control (rate limiting)

Example: Key-Based Rate Limiting (Concept)

Instead of limiting by IP, you can limit by API key:

const rateLimitMap = new Map();

function rateLimiter(req, res, next) {
  const key = req.headers['x-api-key'];
  const current = rateLimitMap.get(key) || 0;

  if (current > 100) {
    return res.status(429).send("Rate limit exceeded");
  }

  rateLimitMap.set(key, current + 1);
  next();
}

In production, this is implemented using Redis for scalability.

API Keys vs Rate Limiting

Feature	API Keys	Rate Limiting
Purpose	Identify client	Control usage
Security Level	Moderate	Protective
Prevents Abuse	No	Yes
Tracks Usage	Yes	Yes
Required Together	Yes	Yes

Best Practices for Securing APIs

Never expose API keys in frontend code
Store API keys securely (database or environment variables)
Rotate API keys periodically
Use HTTPS to protect data in transit
Apply rate limiting at multiple levels (IP + user)
Use logging and monitoring

Common Mistakes Developers Make

Hardcoding API keys in code
Not validating API keys properly
Using only API keys without rate limiting
Not handling exceeded limits properly

Advanced Security Enhancements

For production-grade APIs, combine with:

JWT authentication
OAuth 2.0
IP whitelisting
Web Application Firewall (WAF)

Real-World Use Cases

Payment APIs (Stripe, Razorpay)
Maps and location APIs
SaaS platforms with usage-based pricing

These systems rely heavily on API keys and rate limiting.

Conclusion

Securing REST APIs is essential for building reliable and scalable applications. API keys help identify and control access, while rate limiting ensures fair usage and protects your system from abuse.

By combining both techniques and following best practices, you can build APIs that are not only functional but also secure and production-ready.

In modern backend development, security should never be an afterthought—it should be built into your system from the start.