API Authentication Lab

API Auth Types

This section will discuss some of the popular API authentication methods that exist.

Basic Authentication

The simplest way to handle authentication is by sending the username and password with every API call. You can use an HTTP header and encode the username and password. The username and password are encoded using Base64.


{“admin:password123”} is the plain text string
“U3BvbmdlQm9iOlNxdWFdwZVBhbnRzCg” is the base64 encoded string

In the request header, you will see a header key for Authorization is created with the word BASIC followed by the encoded bse64 string.


“Authorization: Basic U3BvbmdlQm9iOlNxdWFyZVBhbnRzCg”

Bearer Authentication

Bearer Authentication, also known as token authentication, is a two-step process. In this authentication model, you, the user of an API, must first acquire a token and then use the token to authenticate & authorize your future requests. The API generates a secret key that is a long, difficult-to-guess string of numbers and letters.

Bearer Token

Once the server returns the API token any future requests should include an authorization header value that has the token. Unlike Basic Auth, you don’t need to encode the token itself because it’s already encoded for you by the authentication server. The header field may look like the example below.


Authorization: eyJhbGciOnR5cCI6IkpXVCJ9eyJhbGciOnR5cCI6IkpXVCJ9

API Keys

Authentication using API keys is very similar to Bearer Authentication, with only one difference, the way you acquire the API key itself. Unlike tokens, API keys do not have an expiry date. Moreover, API vendors generate an API key for you.

This method creates unique keys for developers and passes them alongside every request. The API generates a secret key that is a long, difficult-to-guess string of numbers and letters. It is typically passed alongside the API authorization header, the same as the bearer token above.