My manager is suggesting not to use API key for a Web API I am writing because we are white listing the IP address of the client consuming the API and doesn't think we need to bother with API key (i.e., extra time and complexity)
I am interested in the opinion of others.
I think we do require API key for the following reasons in DESCENDING order of importance.
Allow tracking and limiting of requests from client based on API key. Their IP address may possibly change from time to time but the API key should not. So future reporting of requests would be easier with API key
The whitelisted IP address can be spoofed? From the reading I have done I think the fact TLS will be enabled makes this impossible because a handshake between server and client is done so a spoofed IP address would cause a failure of this handshake?
He doesn't have a clue and I should ignore him on principle :-)
Does the fact that we are relying on whitelisted IP addresses remove the need for separate authentication using the API key (the client has access to all of the API so no need for authorization)?
Trusting just on ip white listing increases the risk:
1) An operator error can white list a wrong ip or ip range.
2) It increases the security requirements for the client: no insecure software can run from those machines or from machines that can share or hijack that external ip.
I'd say that a safer system would rely on ip white listing and client ssl certificates.
Your case might be special. However, as a general rule, I'd recommend against using only ip white listing.