API Design: HTTP Basic Authentication vs API Token

People also ask

What is the difference between basic authentication and token based authentication?

Instead of having your user send their actual credentials to your server on every single request (like they would with Basic Auth, where a user sends their username/password to the server for each request), with OAuth you first exchange your user credentials for a 'token', and then authenticate users based on this ' ...

Which authentication is best for API?

OAuth 2.0. OAuth (specifically, OAuth 2.0) is considered a gold standard when it comes to REST API authentication, especially in enterprise scenarios involving sophisticated web and mobile applications. OAuth 2.0 can support dynamic collections of users, permission levels, scope parameters and data types.

What is the difference between Basic Auth and bearer token?

The Basic and Digest authentication schemes are dedicated to the authentication using a username and a secret (see RFC7616 and RFC7617). The Bearer authentication scheme is dedicated to the authentication using a token and is described by the RFC6750.

Which three methods can be used to authenticate to an API?

We'll highlight three major methods of adding security to an API — HTTP Basic Auth, API Keys, and OAuth. We'll identify the pros and cons of each approach to authentication, and finally recommend the best way for most providers to leverage this power.

Best bet might be using an API key in the header (e.g. 'Authorization: Token MY_API_KEY') instead of as a url param:

Advantages over HTTP Basic Auth:

More convenient, as you can easily expire or regenerate tokens without affecting the user's account password.
If compromised, vulnerability limited to API, not the user's master account
You can have multiple keys per account (e.g. users can have "test" and "production" keys side by side.)

Advantages over API key in URL:

Provides extra measure of security by preventing users from inadvertently sharing URLs with their credentials embedded in them. (Also, URL can wind up in things like server logs)

Many times I had to think about how to authenticate users/requests onto APIs and after comparing more solutions I ended up with using the Amazon's solution where I don't need or I can't use OAuth. This solution is based on signatures that prevents from "man in the middle" problems as Basic Auth and passing a simple token are sending plain text data. Yes you can add ssl but this will add complexity to the system...

I think that HTTP Basic Auth should be OK but just for really simple needs.

The complete (and final) solution IMHO is to implement an OAuth provider. It's not complex, it's a simple protocol and gives you lots of flexibility. In addition it seems to be the current trend as many big players implement it and it's supported from many many libraries.

Related questions
                            
                                Creating a REST API using PHP [duplicate]
                            
                                Google Search from a Python App
                            
                                Simple API Calls with Node.js and Express
                            
                                Retrofit 2.0 throwing "IllegalArgumentException: @Field parameters can only be used with form encoding". How to do right API query and fix it?
                            
                                Returning API Error Messages with Python and Flask
                            
                                What's the difference between sockaddr, sockaddr_in, and sockaddr_in6?
                            
                                API key Browser API keys cannot have referer restrictions when used with this API
                            
                                Strings sent through Web API's gets wrapped in quotes
                            
                                Getting LinkedIn Profile Picture
                            
                                Do you use Javadoc for every method you write? [closed]
                            
                                What are the trade-offs between different methods of constructing API URLs: subdomain vs. subdirectory and versioning? [closed]
                            
                                What exactly is a Private API, and why will Apple reject an iOS App if one is used?
                            
                                What is the best Twitter API wrapper/library for .NET? [closed]
                            
                                Writing backwards compatible Android code
                            
                                New Facebook app - FBML or iFrame? [closed]
                            
                                C#: Perform Operations on GPU, not CPU (Calculate Pi) [closed]
                            
                                How can I get the memory that my Java program uses via Java's Runtime api?
                            
                                C API design: Who should allocate? [closed]
                            
                                Bloomberg Open API
                            
                                aws api gateway & lambda: multiple endpoint/functions vs single endpoint

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With

API Design: HTTP Basic Authentication vs API Token

Tags:

authentication

architecture

basic-authentication

api

People also ask

Recent Activity

Donate For Us