Why do even APIs need authentication? For APIs that are read-only, sometimes users don’t need keys. But most commercial APIs require authorization in the form of API keys or other methods. If there is no API security, users can make unlimited API requests without any authorization. Allowing unlimited requests will complicate the revenue model for your API.
In addition, without authentication, there would be no easy way to associate requests with specific user data. And there would be no way to protect against requests from malicious users who might delete another user’s data (for example, by removing DELETE requests for another user’s account).
Finally, there would be no way to track who is using the API or which endpoints are used most often. Clearly, API developers need to think about ways to authenticate and authorize requests to their APIs.
In general, API authentication and authorization serve the following purposes:
- authenticating requests to an API for registered users only;
- tracking who is making requests;
- tracking API usage;
- blocking or slowing down a user who exceeds speed limits;
- applying different levels of authorization for different users.
Different types of authorization
There are several methods of authorization. Below we’ll look at a few authorization options that are most common:
- API key;
- Basic Auth;
- HMAC;
- OAuth 2.0.
API key
Most APIs require authorization with an API key in order to use the API. An API key is a long string that is usually included either in the request URL or in the request header. The API key basically serves as a way to identify the person making the API request (authenticating to use the API). The API key can also be associated with the specific application that is registering.
APIs can give either a public or private key. The public key is usually included in the request, while the private key is treated more like a password and is only used when communicating between servers. On some API documentation sites, the API key is automatically populated in the sample code and API Explorer when you go to the site.
Basic Auth
Another type of authorization is called Basic Auth. With this method, the sender places a username:password pair in the request header. The username and password are encoded using Base64, which is an encoding method that converts the username and password into a set of 64 characters to ensure secure transmission.
HMAC (Hash-based message authorization code)
HMAC stands for Hash-based message authorization code and is a stronger type of authentication, more common in financial APIs. In HMAC, only the sender, and the receiver know the secret key, which is unknown to anyone else. The sender creates a message based on some system properties (e.g., the timestamp of the request plus the account ID).
The message is then encoded with the secret key and passed through a secure hashing algorithm (SHA – secure hashing algorithm). (A hash is an encrypted string based on the algorithm.) The resulting value, called a signature, is placed in the request header.
The API server (the recipient), upon receiving the request, takes the same system properties (request timestamp plus account ID) and uses the secret key (which is known only to the requestor and the API server) and SHA to generate the same string. If the string matches the signature in the request header, the request is accepted. If the strings do not match, the request is rejected.
OAuth 2.0.
One popular method of authenticating and authorizing users is OAuth 2.0. This approach relies on an authentication server to communicate with an API server to grant access. You can recognize that the OAuth 2.0 method is being used when you are prompted to log in using third-party services like Twitter, Google, or Facebook.