Friday 22 March 2024

API Authentication

What is API authentication?

API authentication is the process of verifying the identity of a user who is making an API request, and it is a crucial pillar of API security. There are many types of API authentication, such as HTTP basic authentication, API key authentication, JWT, and OAuth, and each one has its own benefits, trade-offs, and ideal use cases. Nevertheless, all API authentication mechanisms share the goal of protecting sensitive data and ensuring the API is not misused.

HTTP basic authentication:

HTTP basic authentication is the most simple way to implement API authentication. It involves sending credentials as user/password pairs in an Authorization header field, where the credentials are encoded using Base64. However, these credentials are not hashed or encrypted, which makes this authentication mechanism insecure unless it is used in conjunction with HTTPS.

API key authentication:

An API key is a unique identifier that an API provider issues to registered users in order to control usage and monitor access. The API key must be sent with every request—either in the query string, as a request header, or as a cookie. Like HTTP basic authentication, API key authentication must be used with HTTPS to ensure the API key remains secure.

JWT authentication:

JWT, which stands for JSON Web Token, is a compact, stateless mechanism for API authentication. When a user logs into an application, the API server creates a digitally signed and encrypted JWT that includes the user's identity. The client then includes the JWT in every subsequent request, which the server deserializes and validates. The user's data is therefore not stored on the server's side, which improves scalability.

OAuth authentication:

OAuth is a token-based authentication mechanism that enables a user to grant third-party access to their account without having to share their login credentials. OAuth 2.0, which provides greater flexibility and scalability than OAuth 1.0, has become the gold standard for API authentication, and it supports extensive API integration without putting user data at risk.

Authorization types supported by Postman

  • No auth
  • API key
  • Bearer token
  • JWT bearer
  • Basic auth
  • Digest auth
  • OAuth 1.0
  • OAuth 2.0
  • Hawk authentication
  • AWS Signature
  • NTLM authentication
  • Akamai EdgeGrid
  • ASAP (Atlassian)


at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Salesforce AI Associate Certification - 3

What is semantic retrieval in the context of LLMs?   Searching for relevant information in other data sources What additional protection do...

  • Salesforce Admin - 2
    Difference between force.com and Salesforce.com : Salesforce.com is a cloud-based customer relationship management (CRM) platform that offer...
  • API Interview Preparation - 2
    What is an API? API stands for "Application Programming Interface". It is a system that enables communication between different so...