Nowadays, payment systems are getting faster and more efficient thanks to the open banking scheme. With this practice, a bank can provide access to customer data and information to third parties through an API (Application Programming Interface) in accordance with their authority. Nevertheless, security factors should not be underestimated, especially when it concerns the use of customer information and data. Thus, BRIAPI as an open banking product for Bank BRI uses an API key as the first security gate.

API key becomes an important element in the authentication and authorization process. By applying it, BRIAPI ensures that every access requested comes from a registered user in BRIAPI. However, before going any further, what exactly is an API key?

Understanding API Key

 API key is used to authenticate project and user

API key is a unique code that serves to provide login access and link code from one developer to another. As already explained, it is beneficial in the authentication process, notably when an API will be run by developers.

In most cases, API providers have already provided an API key for each of their products. BRIAPI has also supported all of its API services with an API key. Its form is a long code with random characters like this:

xaCGLgL.0inklc7mVLWwsAawjYr5Rx-Af50DDqtlx

API key serves to track and control an API that is being used. These two functions make it able to prevent acts of API abuse, either by bots or cyber attacks. It also acts as an authentication token or unique identity of the API user. So, each API user certainly has a different API key.

API key is an important part of the authentication framework used by BRIAPI, OAuth 2.0. Simply put, OAuth 2.0 is used to verify third-party access to their pre-integrated API products. Within the framework, API key becomes Client ID, which is one of the framework credentials. Client ID is an id that represents a user who wants to access the BRIAPI server.

BRIAPI also uses signatures to ensure that the data in each request and response cannot be hijacked by unauthorized users. This signature is generated using SHA256-HMAC algorithm.

HMAC is an acronym for Hash-based message authentication, which is a mechanism for calculating message authentication codes. It involves a cryptographic hash function combined with a secret key. Just like the name, HMAC purpose is to authenticate messages.

API Key Functions

 Several API key functions in the project and user authorization process in BRIAPI

API key helps you with two types of API authorization: project authorization and user authorization. More specifically, it has their own uses in each type of authorization.

On project authorization, API key inspects whether the application that is calling an API actually has the permission. In addition, it is also useful for identifying a project or an application that is calling the API.

API key is always attached to a single entity. In the context of BRIAPI, an entity is a partner. This means that all BRIAPI partners hold their own authentication keys to be able to log in to the BRIAPI server.

In User Authorization, API key verifies whether the user making the API call is the same person as the registered user identity. It can also verify the user's permissions when making certain requests to an API. As a result, it can reduce the risk of being hacked by hackers trying to be end-users of the application.

API Key Benefits

Benefits of API key in authentication and authorization process

There are four benefits of API key, especially in the authentication and authorization process, namely:

Activity on the API server can be logged in the form of a series of calls. Therefore, developers can use specific APIs to filter certain calls.

  1. Block anonymous traffic

    Anonymous traffic is usually an indicator of potential unknown malicious activity. API key can identify application traffic so that if there is suspicious activity or error, it can be identified early on.

  2. Control the number of calls to the API

    This function helps developers set API usage limits and ensures that only permitted traffic can access the API.

  3. Identify usage patterns in API traffic

    By identifying patterns of API usage, developers can monitor potential malicious activity that could threaten the API at any time.

  4. Filter calls

In conclusion, API key plays an important role in ensuring connections between application services are valid and authenticated. It helps the authentication process for both user and device used to call an API. That way, it ensures that users can only access what they should.

In addition to using API key as an authentication gateway, BRIAPI has also followed the open banking security standards set by Bank Indonesia. Since 2019, BRIAPI has been certified to the international standard ISO 27001. In addition, BRI is the first bank in Southeast Asia to receive PA-DSS (Payment Application Data Security Standard) certification from the PCI Security Standard Council as a data security standard in payment applications for Direct Debit products.