How does Laravel pass API keys to external services?

I tried to digg into the guzzle Swift Transport layers in the vendor code of Laravel to figure out if the api keys were sent over URL parameters with GET, POST or in the a separate header, but could figure out how it is done. Does anyone know how Laravel does it?

CorCronje

6 years ago

Level 6

Hi there, sorry if I don't understand your question.

You can set the base64 encoded token in the authorization header using Guzzle's auth() method when making a request:

http://docs.guzzlephp.org/en/stable/request-options.html#auth

$client->request('GET', '/get', ['auth' => ['username', 'password']]);

On the receiving-end you can inspect the authorization token using Laravel's Illuminate\Http\Request object:

https://laravel.com/api/6.x/Illuminate/Http/Request.html

$token = $request->header('Authorization');

Best,

lasse

6 years ago

Level 9

Thanks for you reply. I'm not looking for how to send the key per se, more how Laravel does it. If Laravel sends the API secrets as a GET or POST request, or if it sends it through the header to the third party service. Is there any best practises for how to send these secrets securely to third parties? That's essentially why I was looking into the Laravel source, for best practises.

tykus

6 years ago

Level 104

How the API token is passed to the third party service will depend on how that service will accept the token, and how the package that sends the request is implemented. You will typically see an Authorization header with a Bearer token, but sometimes I have seen the token passed as a HTTPonly cookie, a query string or even form data. As to security of the token in transit, use HTTPS...

Please or to participate in this conversation.