Authenticating your RESTful API

Authenticating users: use OAuth 2 and/or JSON Web Tokens with the Authorization HTTP header

User authentication for a RESTful API could (and maybe will) be the subject of another series of articles, given how wide and complex it can be. To summarize it very briefly however, there are currently 2 technologies you can use for user authentication:

  • OAuth 2 (which can be combined with OpenID Connect)
  • JSON Web Tokens
Authorization: Bearer <token>

Why you should not send your token as a GET parameter ?

It could be very tempting to design your API to allow users to receive tokens via a GET parameter, with for example the following request:

GET /my-resource?access_token=123456

Authenticating applications: use API keys

Again, the whole topic of API authentication is very large, and this report will not go into details, but basically, if you want to authenticate other applications (in other words, allow not only users but also other applications to use your API), your API should provide a mechanism for generating API keys. As a tip, think that these API keys can actually be JSON Web Tokens.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Guillaume Viguier-Just

Guillaume Viguier-Just

Développeur web et passionné de finances personnelles