Search API Connector Documentation
What is API Authentication?
APIs, or application programming interfaces, are a way for software systems to communicate with one another and exchange data. Most APIs implement some form of authentication to verify the identity of the system requesting data and ensure the security of the API.
Methods of Authentication
There are many methods used for API authentication: keys, tokens, OAuth, etc. This list contains the most common methods used by modern APIs:
API keys are a unique identifier, similar to a password, used to authenticate API requests. API keys are usually passed in the header of a request, but some APIs require that they are passed in a parameter in the request URL, a parameter in a request body, or even a parameter in a cookie. The parameter name varies by API; it might be called
X-API-Key, or something totally different.
- Example - API key in URL
- Example - API key in request body
- Example - API key in request header
With Basic Authentication, the user sends a request header where the key is the word
Authorization, and the value is the word
Basic followed by a space and then the base 64 encoding of
username:password (i.e. the user ID and password separated by a colon)
- Example - Basic Auth header
In this method, the user sends a token in a request header, which is checked by the server to verify the authenticity of the client. The header key is the word
Authorization, while the value is
- Example - Bearer token header
OAuth lets a user grant access to their data to a third party without sharing their login credentials. With OAuth, the user logs into a platform and consents to share data, which produces an access token for the third party platform. These tokens are then refreshed as necessary.
The exchanging of OAuth tokens is handled server-to-server behind the scenes, so the user doesn't need to enter them manually.
While most APIs use one of the above methods, some APIs still use older standards like OAuth1, "signatures" that include the hashing of a specific constructed string, or have their own custom requirements.
There are also some APIs that don't require authentication at all. Here's a list of interesting open APIs that don't have any authentication requirements.