# Authentication Types

## Basic Authentication

* HTTP `Authorization` header
* Base64-encoded credentials

<figure><img src="https://3960676229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmjLkek16kB60c2WFd5lf%2Fuploads%2FmSLxRwoxWVj2ll9dXiq8%2Fbasic_authorization_header.png?alt=media&#x26;token=13d0de9f-f867-47fd-b308-84cf63cda086" alt=""><figcaption></figcaption></figure>

## API Keys

* Typically, within HTTP header
* Kind of username and password at once

```html
GET / HTTP/1.1
Host: example.com
X-API-KEY:  abcdef12345
```

{% embed url="<https://blog.stoplight.io/api-keys-best-practices-to-authenticate-apis>" %}

## TLS Authentication

* HTTPS requires only the server/API to present a certificate
* **mutual TLS (mTLS)** request both parties to present a certificate

<figure><img src="https://3960676229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmjLkek16kB60c2WFd5lf%2Fuploads%2Fsjo1yfgIV6U7PpgEQt8t%2Fmtls.png?alt=media&#x26;token=c50e5f9f-1fb1-4cc2-917c-30577a765019" alt="" width="547"><figcaption></figcaption></figure>

## Token Based Authentication

* A trusted 3rd party issues tokens
* They expire
* Can convey more information than just called ID, which can used for authorization
* OAuth use **scopes**, OpenID Connect adds **claims**

> ***OAuth** is a delegation protocol and its main goal is API access. **OpenID Connect** is an Identity layer atop of OAuth which define user authentication metadata, can control authentication and federation. **OAuth 2.0** is the standard today and require HTTPS.*