The RESTful web service must authenticate requests in order to send a response. Authentication is the process of confirming identity. For example, an ID card or driver’s license can be used to prove identity. Similarly, clients of the RESTful service must prove their identity to the server to establish trust.
The RESTful API supports four common authentication methods:
HTTP authentication
HTTP defines some authentication schemes that can be used when implementing the RESTful API. Two such schemes are summarized below:
Basic authentication
In basic authentication, the client sends a username and password in the request header. It encodes them using the base64 encoding method, which converts the username-password pair into a 64-character set for secure transmission.
Media Authentication
Media authentication is the process of granting access control to the bearer token. Typically, the bearer token is an encrypted string of characters that the server generates in response to a login request. The client sends the token in the request headers to access resources.
API keys
API keys are another option for REST API authentication. In this approach, the server generates a unique value and assigns it to the first client. Whenever the client tries to access resources, it uses the unique API key for verification. API keys are less secure: since the client must hand over the key, the likelihood of the key being stolen increases.
OAuth
OAuth combines passwords and tokens to securely log into any system. The server first requests a password and then an additional token to complete the authorization process. It can validate the token at any time as well as after a certain period of time according to the scope and expiration date.