Authentication Techniques for APIs

While there are as many proprietary authentication methods as there are systems which utilize them, they are largely variations of a few major approaches. In this post, I will go over the common most used in the REST APIs and microservices world.

Authentication vs Authorization

The two functions are often tied together in single solutions, but the easiest way to divide authorization and authentication is to ask: what do they actually state or prove about me?

Authentication is when an entity proves an identity. In other words, Authentication proves that you are who you say you are. This is like having a driver license which is given by a trusted authority that the requester, such as a police officer, can use as evidence that suggests you are in fact who you say you are.

Authorization is an entirely different concept and in simple terms, Authorization is when an entity proves a right to access. In other words, Authorization proves you have the right to make a request. Consider the following — You have a working key card that allows you to open only some doors in the work area, but not all of them.

In summary:
Authentication: Refers to proving correct identity
Authorization: Refers to allowing a certain action

Below are authentication techniques for APIs. I have also given description and use-cases for each authentication method.

Happy Security.