API Authentication Overview
Authentication verifies who is making an API request. This is essential for protecting sensitive data and controlling access to resources.
Authentication vs Authorization
| Concept | Question | Example |
|---|---|---|
| Authentication | Who are you? | Verifying user identity |
| Authorization | What can you do? | Checking permissions |
Common Authentication Methods
1. API Keys
Simple string tokens sent with each request.
GET /api/data
X-API-Key: sk_live_abc123xyz
2. Basic Authentication
Username and password encoded in Base64.
GET /api/data
Authorization: Basic dXNlcjpwYXNzd29yZA==
3. Bearer Tokens (JWT)
Token-based authentication, typically using JWTs.
GET /api/data
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
4. OAuth 2.0
Delegated authorization with access tokens.
GET /api/data
Authorization: Bearer oauth_access_token_here
Where to Send Credentials
In Headers (Recommended)
Authorization: Bearer token123
X-API-Key: key123
In Query String (Not Recommended)
GET /api/data?api_key=key123
Why not recommended?
- Logged in server logs
- Cached by browsers
- Visible in browser history
- Shared when copying URLs
HTTP Status Codes for Auth
| Code | Meaning | When to Use |
|---|---|---|
| 401 | Unauthorized | Missing or invalid credentials |
| 403 | Forbidden | Valid credentials, but no permission |
401 Unauthorized
GET /api/users
# No Authorization header
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api"
{
"error": {
"code": "AUTHENTICATION_REQUIRED",
"message": "Please provide valid credentials"
}
}
403 Forbidden
DELETE /api/admin/users/1
Authorization: Bearer user_token # Regular user, not admin
HTTP/1.1 403 Forbidden
{
"error": {
"code": "INSUFFICIENT_PERMISSIONS",
"message": "Admin access required"
}
}
Exercise: Auth Middleware Simulator
Loading JavaScript Exercise...
Security Best Practices
1. Always Use HTTPS
Never send credentials over unencrypted connections.
2. Don't Log Credentials
// Bad
console.log('Request:', req.headers);
// Good
console.log('Request:', { ...req.headers, authorization: '[REDACTED]' });
3. Use Short-Lived Tokens
Access tokens should expire (15 min - 1 hour).
4. Implement Token Refresh
Allow refreshing expired tokens without re-login.
5. Rate Limit Authentication
Prevent brute-force attacks on login endpoints.
Summary
| Method | Use Case | Security Level |
|---|---|---|
| API Keys | Server-to-server | Medium |
| Basic Auth | Simple internal APIs | Low |
| Bearer/JWT | User authentication | High |
| OAuth 2.0 | Third-party access | High |
The next lessons will dive deeper into API keys and JWTs.