Should we use API keys for authorization on a public API (instead of JWT)?


We are building a public-facing API. The consumers of this API will be business partners of ours – we will probably have a personal relationship with each one, and I suspect there will only ever be 10-40 of these customers. So we’re not dealing with the same problems that e.g. Spotify/Facebook might with their public APIs.

We want to give each user different API read permissions, so some level of authorization is required.

We were going to issue each customer with an API key, and store the related permissions in a table. But now we’re wondering if we should implement JWTs to handle this.

Pros of API keys:

  • Simple. Easy for the clients to implement (fairly important for us)
  • Makes rate limiting simpler, as there will be fewer auth calls.
  • Cheaper (we are using AWS lambda so paying per request)
  • Quicker for us to build too

Pros of JWTs

  • More established way of handling authorization. No need to reinvent the wheel.
  • Avoid any unforeseen pitfalls around implementing your own access mechanism
  • Fewer database look-ups on our end (but presumably slower flow overall)
  • …any others I’ve missed here?

We’re leaning towards API keys for simplicity, but want to ensure we’re not missing something important.