If you get an error of `requests.exceptions.SSLError: hostname 'api.oregonstate.edu' doesn't match either of '*.apigee.net' and 'apigee.net'`, it's most likely because the version of Python, Java, Curl, etc you are using doesn't have SNI support. With SNI, an extension of TLS/SSL, multiple HTTPS targets can be served off the same IP address and port without requiring all those targets to use the same certificate. However, not all clients support SNI, specifically for Python, it's supported in 2.x from 2.7.9rc1 and 3.x from 3.2alpha4 (in ssl, urllib[2] and httplib modules).

Please check Apigee SNI support for more details. And for more information on SNI, see SNI Wiki and Server Name Indication.

What are some best practices and recommendations on how to store and protect API keys?

Store API keys / secrets safely

  • Do not embed API keys / secrets directly in code.
  • Do not store API keys / secrets in files inside your application, including the application’s source tree
  • If you do accidentally commit an API key / secrets to version control, revoke it immediately and generate a new one.
  • Ensure API keys / secrets do not appear in URLs or anywhere that can be captured in web server logs.
  • Review your code carefully and ensure it doesn’t contain API keys / secrets or any other private information before publicly releasing it.
  • Put the configuration file containing the API keys / secrets in the revision control ignore (ex. .gitignore). This prevents committing them by mistake in the future.

Limit the usage of API keys / secrets

  • Restrict your API keys / secrets to be used by only the IP addresses, referrer URLs, and mobile apps that need them.
  • Don't share your API keys / secrets with different applications. If more than one application uses the same API, register each application to get a new set of API keys / secrets.

Update API keys / secrets

  • Delete unneeded API keys / secrets.
  • Update (Regenerate) your API keys / secrets periodically.

References

  1. Best practices for securely using API keys: https://support.google.com/cloud/answer/6310037?hl=en
  2. REST Security Cheat Sheet - OWASP: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

How can I view what data is returned by an API? How can I test an API using my web browser?

In order to view the data provided by an API or test it using this developer portal, follow the steps below.

Get the Consumer Key and Secret

  1. Browse the documentation of the available APIs to help you select one
  2. Register your application
  3. Depending on the API you request access to, the approval may take a couple of days or be automatic
  4. Go to My Apps and click on the application you just registered
  5. Copy the "Consumer Key" and "Consumer Secret" for use in the section below (as client id and client secret respectively)

Make the API call

  1. Use the client id (consumer key) and client key (consumer secret) from the steps above to get an access token.
    1. Select the OAuth2 API.
    2. Click on the "getAccesToken" method 
    3. Enter "client_credentials" under grant type
    4. Enter the client id (consumer key) and client key (consumer secret) from your registered application
    5. Click on the "Send this request" button
    6. View the response and save the "access_token" value
  2. Use the access token to make API calls
    1. Select the API corresponding to the product that you registered for.
    2. Select a method to test
    3. Enter "Bearer XXXX" under the Authorization header, where XXX is the access token
    4. Enter any required query parameters or url parameters
    5. Click on the "Send this request" button

Who can access the APIs? Can people not affiliated to OSU access the APIs?

The APIs are available to OSU developers (staff, student and faculty) who have an ONID account. At this point, the APIs are not open to developers outside of OSU. Some APIs have more restrictions or require approvals, which limit the access to them. These restrictions can be found within the documentation of each API.

I have a great idea for a new API. The current API provide doesn't include all the data that I need. How do I submit ideas or feedback about APIs?

If the data that you need is not included in the API or if you have ideas for new APIs or improvement, please contact us and we will review your request and get back to you.

What is an API key? Why do I need one?

Application Programming Interface Key (API Key) is a code (alpha-numeric) provided by applications when they are making an API call to identify the calling program. API keys are often referred by many names, such as: app keys, app credentials, or consumer keys. These names are synonymous. API keys help prevent unauthorized access to APIs. The API keys help define access and limits on the use of APIs. When a developer register their application in the developer portal, they are given a consumer key and secret. The consumer key and secret are used to get a token that can be used to perform an API call.

In order to access data you need an API key. To get an API key, you need to register an application or app. Only OSU developers with an ONID account can register an application / app. The steps below, walk you through how to register an app:

  1. Login via CAS
  2. Go to the "My Apps" page. The link can be found on the navigation menu at the top of the pages or by going directly to: apps
  3. Click on "Add a new App"
  4. Enter the information requested
  5. Select API product that you need

I want to access data provided by an API. How do I make a call to the API to get the data?

In order to access the data provided by an API, follow the steps below.

Get the Consumer Key and Secret

  1. Browse the documentation of the available APIs to help you select one
  2. Register your application
  3. Depending on the API you request access to, the approval may take a couple of days or be automatic
  4. Go to My Apps and click on the application you just registered
  5. Copy the "Consumer Key" and "Consumer Secret" for use in the section below (as client id and client secret respectively)

Make the API call

  1. HTTP request to get an access token:
    curl -X POST --header "Content-Type: application/x-www-form-urlencoded;charset=utf-8" -d "grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET" "https://api.oregonstate.edu/oauth2/token"
    
  2. HTTP to make a request to the API using the access token:
    curl -X GET --header "Content-Type: application/x-www-form-urlencoded;charset=utf-8" --header "Authorization: Bearer ACCESS_TOKEN" "https://api.oregonstate.edu/<API-ENDPOINT>"