Bless API Book
← Back to Guides

API Authentication Methods

Authentication is a critical aspect of API security. This guide covers the most common authentication methods used in APIs and how to implement them in your applications.

In this guide:

  • API Keys
  • Basic Authentication
  • OAuth 2.0
  • JWT (JSON Web Tokens)
  • API Key Best Practices
  • Choosing the Right Authentication Method

API Keys

API keys are simple string tokens that are passed with API requests to identify the calling application or user. They are one of the most common authentication methods due to their simplicity.

How API Keys Work

API keys are typically included in the request header or as a query parameter. The API provider validates the key against their database to authenticate the request.

Example: Using API Keys in Headers

// Using fetch with an API key in the header
fetch('https://api.example.com/data', {
  headers: {
    'X-API-Key': 'your_api_key_here',
    'Content-Type': 'application/json'
  }
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

Example: Using API Keys as Query Parameters

// Using fetch with an API key as a query parameter
fetch('https://api.example.com/data?api_key=your_api_key_here')
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

⚠️ Security Note

When using API keys as query parameters, they become visible in the URL. This is less secure as URLs can be logged in server logs, browser history, and can be visible to third parties. Whenever possible, use header-based authentication instead.

Basic Authentication

Basic Authentication is a simple authentication scheme built into the HTTP protocol. It requires sending a username and password with each request.

How Basic Authentication Works

The client sends a request with an Authorization header containing the word "Basic" followed by a space and a base64-encoded string of "username:password".

Example: Using Basic Authentication

// Using fetch with Basic Authentication
const username = 'your_username';
const password = 'your_password';
const credentials = btoa(username + ':' + password);

fetch('https://api.example.com/data', {
  headers: {
    'Authorization': 'Basic ' + credentials,
    'Content-Type': 'application/json'
  }
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

⚠️ Security Note

Basic Authentication sends credentials with every request and should only be used over HTTPS. The base64 encoding is easily reversible and does not provide any security by itself.

OAuth 2.0

OAuth 2.0 is an authorization framework that enables third-party applications to obtain limited access to a user's account on an HTTP service. It's widely used for delegated authorization.

How OAuth 2.0 Works

OAuth 2.0 involves several steps:

  1. The client requests authorization from the resource owner
  2. The client receives an authorization grant
  3. The client requests an access token from the authorization server
  4. The authorization server authenticates the client and validates the grant
  5. The authorization server issues an access token
  6. The client uses the access token to access protected resources

Example: Using OAuth 2.0 Access Token

// Using fetch with an OAuth 2.0 access token
fetch('https://api.example.com/data', {
  headers: {
    'Authorization': 'Bearer your_access_token_here',
    'Content-Type': 'application/json'
  }
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

Example: OAuth 2.0 Authorization Code Flow

// Step 1: Redirect user to authorization URL
function redirectToAuth() {
  const authUrl = 'https://auth.example.com/authorize';
  const clientId = 'your_client_id';
  const redirectUri = encodeURIComponent('https://your-app.com/callback');
  const scope = encodeURIComponent('read write');
  const state = generateRandomString(); // For CSRF protection
  
  // Store state in localStorage for verification later
  localStorage.setItem('oauth_state', state);
  
  // Redirect to authorization server
  window.location.href = `${authUrl}?client_id=${clientId}&redirect_uri=${redirectUri}&scope=${scope}&response_type=code&state=${state}`;
}

// Step 2: Handle the callback and exchange code for token
async function handleCallback() {
  // Get URL parameters
  const urlParams = new URLSearchParams(window.location.search);
  const code = urlParams.get('code');
  const state = urlParams.get('state');
  
  // Verify state to prevent CSRF attacks
  if (state !== localStorage.getItem('oauth_state')) {
    throw new Error('State validation failed');
  }
  
  // Exchange code for token
  const tokenResponse = await fetch('https://auth.example.com/token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: new URLSearchParams({
      grant_type: 'authorization_code',
      code: code,
      redirect_uri: 'https://your-app.com/callback',
      client_id: 'your_client_id',
      client_secret: 'your_client_secret'
    })
  });
  
  const tokenData = await tokenResponse.json();
  
  // Store the tokens
  localStorage.setItem('access_token', tokenData.access_token);
  localStorage.setItem('refresh_token', tokenData.refresh_token);
  
  // Redirect to the app
  window.location.href = '/dashboard';
}

JWT (JSON Web Tokens)

JSON Web Tokens (JWT) are an open standard for securely transmitting information between parties as a JSON object. They are commonly used for authentication and information exchange.

How JWT Works

A JWT consists of three parts separated by dots:

  • Header - Contains the type of token and the signing algorithm
  • Payload - Contains the claims (statements about an entity and additional data)
  • Signature - Used to verify that the sender of the JWT is who it says it is

Example: Using JWT for Authentication

// Using fetch with a JWT token
fetch('https://api.example.com/data', {
  headers: {
    'Authorization': 'Bearer your_jwt_token_here',
    'Content-Type': 'application/json'
  }
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

Example: Creating and Verifying JWTs (Server-side Node.js)

// Server-side JWT handling with Node.js
const jwt = require('jsonwebtoken');
const secretKey = 'your_secret_key';

// Creating a JWT
function generateToken(user) {
  const payload = {
    sub: user.id,
    name: user.name,
    admin: user.isAdmin,
    iat: Math.floor(Date.now() / 1000),
    exp: Math.floor(Date.now() / 1000) + (60 * 60) // 1 hour expiration
  };
  
  return jwt.sign(payload, secretKey);
}

// Verifying a JWT
function verifyToken(token) {
  try {
    const decoded = jwt.verify(token, secretKey);
    return { valid: true, data: decoded };
  } catch (error) {
    return { valid: false, error: error.message };
  }
}

// Middleware to protect routes
function authenticateToken(req, res, next) {
  const authHeader = req.headers['authorization'];
  const token = authHeader && authHeader.split(' ')[1];
  
  if (!token) {
    return res.status(401).json({ error: 'No token provided' });
  }
  
  const verification = verifyToken(token);
  
  if (!verification.valid) {
    return res.status(403).json({ error: 'Invalid or expired token' });
  }
  
  req.user = verification.data;
  next();
}

API Key Best Practices

  • Never expose API keys in client-side code
  • Use environment variables to store API keys
  • Implement key rotation policies
  • Use different API keys for different environments (development, staging, production)
  • Limit API key permissions to only what's necessary
  • Monitor API key usage for suspicious activity
  • Revoke compromised API keys immediately

Example: Storing API Keys Securely in Next.js

// .env.local file
API_KEY=your_api_key_here

// In your Next.js API route (pages/api/data.js)
export default async function handler(req, res) {
  try {
    const response = await fetch('https://external-api.com/data', {
      headers: {
        'Authorization': `Bearer ${process.env.API_KEY}`,
        'Content-Type': 'application/json'
      }
    });
    
    const data = await response.json();
    res.status(200).json(data);
  } catch (error) {
    res.status(500).json({ error: 'Failed to fetch data' });
  }
}

Choosing the Right Authentication Method

The choice of authentication method depends on your specific requirements:

MethodUse CaseProsCons
API KeysSimple server-to-server communicationEasy to implement, low overheadLimited security, no built-in expiration
Basic AuthSimple username/password authenticationWidely supported, easy to implementCredentials sent with every request, no delegation
OAuth 2.0Third-party access, user-centric permissionsDelegated authorization, fine-grained scopesComplex to implement, more overhead
JWTStateless authentication, microservicesSelf-contained, stateless, can include claimsToken size, can't be invalidated before expiry

Decision Flowchart

Use this simplified flowchart to help decide which authentication method is best for your use case:

  • Q: Are you building a public API?
    • Yes: Do you need user-specific permissions?
      • Yes: Use OAuth 2.0
      • No: Use API Keys
    • No: Is it for internal services only?
      • Yes: Do you need stateless authentication?
        • Yes: Use JWT
        • No: Use API Keys or Basic Auth

Conclusion

Choosing the right authentication method is crucial for the security and usability of your API. Consider your specific requirements, the sensitivity of your data, and the technical capabilities of your users when making this decision.

Remember that security is a continuous process. Regularly review and update your authentication mechanisms to address new threats and vulnerabilities.

Next Steps

Now that you understand different authentication methods, you might want to explore: