What is API Authentication?

APIs, or application programming interfaces, are a way for software systems to communicate with one another and exchange data. Most APIs implement some form of authentication to verify the identity of the system requesting data and ensure the security of the API.


Methods of Authentication

There are many methods used for API authentication: keys, tokens, OAuth, etc. This list contains the most common methods used by modern APIs:

API Keys

API keys are a unique identifier, similar to a password, used to authenticate API requests. API keys are usually passed in the header of a request, but some APIs require that they are passed in a parameter in the request URL, a parameter in a request body, or even a parameter in a cookie. The parameter name varies by API; it might be called apikey, key, X-API-Key, or something totally different.

  • Example - API key in URL
  • Example - API key in request body
  • Example - API key in request header
    API-KEY: abc12345

Basic Authentication

With Basic Authentication, the user sends a request header where the key is the word Authorization, and the value is the word Basic followed by a space and then the base 64 encoding of username:password (i.e. the user ID and password separated by a colon)

  • Example - Basic Auth header
    Authorization: Basic YW5ha3Jhdml0ejpteXBhc3N3b3Jkauthentication-basicauth

Bearer Token

In this method, the user sends a token in a request header, which is checked by the server to verify the authenticity of the client. The header key is the word Authorization, while the value is Bearer token

  • Example - Bearer token header
    Authorization: Bearer eyw123456789


OAuth lets a user grant access to their data to a third party without sharing their login credentials. With OAuth, the user logs into a platform and consents to share data, which produces an access token for the third party platform. These tokens are then refreshed as necessary.

The exchanging of OAuth tokens is handled server-to-server behind the scenes, so the user doesn't need to enter them manually.


While most APIs use one of the above methods, some APIs still use older standards like OAuth1, "signatures" that include the hashing of a specific constructed string, or have their own custom requirements.

There are also some APIs that don't require authentication at all. Here's a list of interesting open APIs that don't have any authentication requirements.

Leave a Comment

Jump To