Notes
  • Welcome!
  • Windows Shells
    • Introduction
    • Command Prompt
      • Basics
      • Host Enumeration
      • Files & Directories
      • Environment Variables
      • Managing Services
      • Scheduled Tasks
      • Help
    • PowerShell
      • PowerShell vs. CMD
      • Basics
      • CmdLets & Modules
      • User & Group Management
      • Files & Dirs
      • Finding & Filtering
      • Services
      • Registry
      • Windows Event Log
      • Networking Management
      • Web Interaction
      • Scripting
      • Help
  • Windows
    • Commands
    • NTFS
  • APISEC
    • API Testing
      • Recon
      • Endpoint Analysis
      • Finding Security Misconfigurations
      • Authentication Attacks
      • Exploiting API Authorization
        • BOLA
        • BFLA
      • Improper Assets Management
      • Mass Assignment Attacks
      • SSRF
      • Injection Attacks
      • Evasion & Chaining
    • API Authentication
      • Authentication Types
      • OAuth Actors
      • OAuth Interaction Patterns
      • JSON Web Tokens
      • Claims
      • APIs & Gateways
  • PostSwigger
    • Web LLM Attacks
      • Overview
      • Exploiting LLM APIs, function, & Plugins
      • Indirect Prompt Injection
      • Leaking Sensitive Data
      • Defending Against LLM Attacks
    • JWT Attacks
      • JWTs
      • Attacks
        • Flawed Signature Verfication
        • Brute-forcing Secret Keys
        • JWT Header Parameter Injections
        • Algorithm Confusion
      • Prevention
    • OAuth
      • General Information
      • Exploiting OAuth Authentication Flaws
        • Flaws in Client Application
        • Flaws in the OAuth Service
      • OpenID
  • Red Teaming LLM Applications
    • LLM Vulnerabilities
    • Red Teaming LLMs
    • Red Teaming at Scale
    • Red Teaming LLMs with LLMs
    • Red Teaming Assessment
  • Fin
    • Course 1: Basics
      • Stocks
        • General Information
        • Shares
        • Stock Basics
      • Bonds
        • General Information
        • Components
        • Valuation
      • Markets
        • What is the Stock Market
        • What is the FED
    • Course 2: Stock Investing
  • Other
    • Learning Resources
Powered by GitBook
On this page
  • Basic Authentication
  • API Keys
  • TLS Authentication
  • Token Based Authentication
  1. APISEC
  2. API Authentication

Authentication Types

PreviousAPI AuthenticationNextOAuth Actors

Last updated 11 months ago

Basic Authentication

  • HTTP Authorization header

  • Base64-encoded credentials

API Keys

  • Typically, within HTTP header

  • Kind of username and password at once

GET / HTTP/1.1
Host: example.com
X-API-KEY:  abcdef12345

TLS Authentication

  • HTTPS requires only the server/API to present a certificate

  • mutual TLS (mTLS) request both parties to present a certificate

Token Based Authentication

  • A trusted 3rd party issues tokens

  • They expire

  • Can convey more information than just called ID, which can used for authorization

  • OAuth use scopes, OpenID Connect adds claims

OAuth is a delegation protocol and its main goal is API access. OpenID Connect is an Identity layer atop of OAuth which define user authentication metadata, can control authentication and federation. OAuth 2.0 is the standard today and require HTTPS.

API Keys: API Authentication Methods & ExamplesStoplight
Logo