Rest API Basic Authentication

Question

Is it okay if the server returns the API Key and Shared Secret Key when a client tries to login on the API using Basic Authentication? For example, if a user enter this link http://api.example.com/authorize?auth=some_encoded_Base64_string , the response will be:

Content-Type: application/xml
Date: Fri, 10 Nov 2006 20:04:45 GMT    
Transfer-Encoding: chunked
Authorization: apiKey;secretKey

Will I have issues using this method? I wanted to be like this since the API core methods will only accept APIKey hashes and in order to obtain that they need to use the Basic Authentication as they're first step. I'm not gonna use OAuth here for now.

I'm trying out the new ASP.NET Web API for this project.

Answer 1

HTTP does not define an Authorization header in the response so if you need to define a custom header, use X- prefix.

Also from the design point, HTTP headers are to pass data which is orthogonal to the call. You seem to be trying to pass a piece of data which needs to be in the payload so I would refrain from using the headers.

I would pass this data in the payload.

If you use SSL and pass data in the URL, HTTP headers or payload it will be secure.