REST API Auth
Overview
APIs often require authentication to keep data safe and prevent unauthorized access. Some APIs are public and read-only, so they may not require authentication.
Authentication vs Authorization
Authentication proves identity, while authorization controls access.
- Authentication checks who the user is
- Authorization checks what the user can do
- Both work together to secure API requests
For example, showing an ID at the airport is authentication, while presenting a ticket at a concert is authorization. Authentication identifies the user, and authorization gives access to resources.
Authentication Mechanisms
Basic Authentication
Basic Authentication, also known as Basic Auth, uses the standard Basic HTTP authentication scheme. Basic Auth transmits credentials as username/password pairs separated with a colon (:) and encoded using Base64.
In a REST API request, the Basic Auth information will be provided in the header:
Authorization: Basic <username>:<password>
Basic Auth is the simplest authentication mechanism. It is extremely insecure unless it is paired with requests using HTTPS rather than HTTP. Although the credentials are encoded, they are not encrypted. It is simple to decode the credentials and get the username/password pair.
Bearer authentication
Bearer Authentication, also known as Token Authentication, uses the standard Bearer HTTP authentication scheme. It is more secure than Basic Authentication and is typically used with OAuth and Single Sign-On (SSO).
This uses a bearer token, which is a string generated by an authentication server such as an Identity Service (IdS).
In a REST API request, the Bearer Auth information will be provided in the header:
Authorization: Bearer <bearer token>
Just like Basic Authentication, Bearer Authentication should be used with HTTPS.
API key
API keys, also referred to as an API Tokens, are unique alphanumeric string generated by the server and assigned to a user. To obtain a unique API key, the user typically logs into a portal using their credentials. This key is usually assigned one time and will not be regenerated.
There are two types of API keys:
- Public keys can be shared for limited access.
- Private keys must not be shared as they act like a password.
API keys can be sent in different ways:
- In query strings for public keys
- In headers using
Authorizationor a custom key - In body data with
Content-Type: application/json - In cookies as
API_KEY=<API Key>
Just as with the other types of authentication, API keys are only secure when used with HTTPS.
API keys are intended to be an authentication mechanism, but are commonly misused as an authorization mechanism.
Authorization Mechanisms
OAuth (Open Authorization) combines authentication and authorization to provide secure API access. It is commonly used in modern REST APIs.
- Pre-registered apps can act on a user's behalf
- Users do not share credentials with the app
- Users receive a token from an Identity Service (IdS)
- The app uses the token as Bearer Authentication
The process of getting the token is called a flow. After the token is issued, the application includes it in API requests using Bearer Authentication. The API server then verifies the token with the authorization server and checks if the request is allowed.
This approach keeps user credentials safe and ensures that only authorized actions are performed.