Authentication Types

Basic Authentication

  • HTTP Authorization header

  • Base64-encoded credentials

API Keys

  • Typically, within HTTP header

  • Kind of username and password at once

GET / HTTP/1.1
Host: example.com
X-API-KEY:  abcdef12345

TLS Authentication

  • HTTPS requires only the server/API to present a certificate

  • mutual TLS (mTLS) request both parties to present a certificate

Token Based Authentication

  • A trusted 3rd party issues tokens

  • They expire

  • Can convey more information than just called ID, which can used for authorization

  • OAuth use scopes, OpenID Connect adds claims

OAuth is a delegation protocol and its main goal is API access. OpenID Connect is an Identity layer atop of OAuth which define user authentication metadata, can control authentication and federation. OAuth 2.0 is the standard today and require HTTPS.

Last updated