Application Programming Interfaces, or APIs, can handle enormous amounts of data. The type of data can be pretty much anything, such as a product’s information and specifications, a user’s email address and phone number, the credit card used for a transaction, or a person’s social security number. Because APIs are used to handle publicly available information as well as confidential information, many APIs have some form of authentication method to make sure that the user requesting a piece of information is who they say they are to help prevent misuse of information.
Authentication vs. Authorization
To better understand API authentication, we need to differentiate authentication and authorization. Authentication is when an entity proves an identity, whereas authorization is when an entity proves a right to access. In other words, in the case of authentication, you have to prove you are who you say you are. For authorization, you have to prove that you are allowed to access such information. To make sure that we’re all on the same page, this article will be referencing authentication, not authorization.
Popular API Authentication Methods
There are multiple ways of API authentication, and each method has its own pros and cons. Some methods are more thorough and secure while others are more basic. The type of authentication method an API might use depends on the type of data being transmitted. For example, an API that is used in transferring funds from your bank account to Venmo or PayPal should use a more secure method for authentication, like OAuth, rather than an API used for transferring the history of your calorie intake, like API Key Authentication. This doesn’t mean that the latter example can’t use the same authentication method as the former, but it might not be worth the time and effort for the developers to implement it.
HTTP Basic Authentication
HTTP Basic Authentication is the simplest method of API authentication. This method uses a username and password as a single value and passes it through an encoded Base64 HTTP authorization header. The authorization header is compared to the stored credentials. If the credentials match, the user will have access to the information. If the credentials do not match, the server will inform the user with a status code. This approach does not require cookies, session IDs, login pages, handshakes, or other complex response systems, making it fairly easy to implement.
The issue with HTTP Basic Authentication is its security. You’re sharing your username and password, so unless the process is completely enforced with SSL for security, the authentication transmission isn’t very secure and can be vulnerable to man-in-the-middle attacks, which is when a user intercepts the data being transmitted. The attacker can then redirect the data somewhere else or they can just listen in on the conversation.
A HTTP Basic Authentication might look something like this:
curl "https://example.com/" \
-H "Authorization: Basic bXlVczNybkBtZTpteVA0c3N3MHJk"
Where “Basic” is saying that we are using Basic Access Authentication, and the string after that is just a Base64 encoding of “myUs3rn@me:myP4ssw0rd”. Once the server decodes the Base64 and confirms that it matches what it has on file you’ll have access to the data.
API Key Authentication
API Key Authentication is an authentication technique meant to make authentication a little bit more secure. It somewhat fixes the security issue that HTTP Basic Authentication faces by replacing the username and password with an API Key, a long unguessable string of numbers and letters.
Additionally, there’s no standard on the API Key. It can be passed along the Authorization header, a dedicated header like X-API-Key, a query string at the end of a URL, or in the body of a packet. In other words, how the API Key is passed is dependent on how the developers want it to be sent.
Creating and implementing API Keys isn’t a difficult task. It’s actually quite fast and easy compared to other types of authentication methods. Some APIs generate the API Keys based on the user’s hardware and IP data, while other APIs might generate their keys based on something else entirely random, or a mix of several things. Regardless of what method the API uses to generate a key, as long as the server stores a copy of the API Key and the user saves theirs, the user can quickly gain access to the data.
The downside of using API keys is that they are not a method of authorization. As mentioned earlier, authorization and authentication are not the same thing. This means that it is still possible that someone can pick up an API Key and gain access to all of the information available to them as with HTTP Basic Authentication. API Keys just remove the ability for an attacker to guess their way into the system. But if there’s an insecure server and an attacker is able to get their hands on some API Keys, then the security is no longer there unless there is an authorization system in place alongside the API Key Authentication method.
Open Authentication, or OAuth, is a technique that offers both authentication and authorization. OAuth works by requiring the user to first log in to the application with their credentials. After logging in, the application requests authentication from the API server in the form of a token. The token typically has a limited scope (meaning a limited number of systems that the user can authenticate to) and age of validity (meaning the token expires after a certain amount of time). The application then forwards the request with the token to the authentication server where the request is accepted or rejected.
As you can see, there are more steps that OAuth takes before the user can gain access to the information. The user entering their credentials acts as a form of authorization. Getting the token from the API server is the authentication part of the process, and the token cannot be obtained without the user first logging in. The user doesn’t share any of their credentials with the third-party application, keeping their login information secure, and since the authentication token only exists for a limited amount of time, a breach into the system wouldn’t have the same level of impact as a system where the token never expires. The multiple layers in play makes OAuth one of the most popular and secure API authentication methods out there.
Choosing the Best API Authentication Method
Out of these three authentication methods, OAuth is clearly the most secure option. But the best option is dependent on your situation. API Key Authentication is still widely used due to how fast and easy it is to implement. It offers more security than HTTP Basic Authentication without having to do that much more work. If your situation doesn’t involve critical or important information, then using API Keys or HTTP Basic Authentication might be your best option due to its ease of use and implementation. Still, it’s hard to argue against OAuth since it has so many benefits. If you need help choosing and implementing the best authentication method for your situation, contact the experts at Hall.