When an API endpoint offers its services to a user via HTTP, it is said to be "exposed". This means traffic can flow in or out of the API endpoints, including potentially malicious traffic. API authentication protects the user and the API developers from data loss, service outages, or plain foolishness. It also allows developers to know what endpoints are most trafficked, and throttle potential problem users who are making too many requests.
At its root, API authentication is about keys. You ask for a key, and the owner grants you a key. Your key is a long, unique string of numbers and letters. Once you have an API key, you are allowed to use the API, the owner also knows who you are and what you are doing in their API. There are many different API authentication methods, but here a few common ones.
This API authentication is based on an exchange of keys between the user and the API. The user applies for a key via email or an authentication service. They will get a public key and a private key. The public key is to be used in request headers and URLs (where they will be visible), and a private key, to be used in server-to-server communication.
HMAC stands for "hash-based message authorization code". It's more secure than a regular API key, but requires significantly more effort to set up. A unique HMAC signature is shared between the user and server, with a timestamp and a unique numerical code for each request, and if the keys don't match, the server will reject the request. This protects servers from replay attacks, where authentication data is intercepted by a third party and replayed to the server to get unapproved authentication keys.
OAuth is a server-based authentication service. The authorization code is obtained by using an authorization server as an intermediary between the client and resource owner. This approach is more secure than an API key because the client is authenticated and the access token is transmitted directly to the client.
Getting an API key is similar to signing up for any other service. We will use the Abstract Exchange Rate API as an example. Go to the Abstract API and select "Create Your Free Account. Enter your information and select Sign Up. You will receive a confirmation email with a link to your Abstract API dashboard. Navigate to any of the APIs listed, for example, the IP Geolocation API. This page displays your unique API token for this API, and has a host of console options for testing it out.
You can test this API key in two ways:
API authentication is a necessary part of web development, and a really interesting solution to the problem of password anti-patterns. You don't need to know the cryptography behind authentication, but you should know how to get the keys you need, how to keep them safe, and where to use them in requests and URLs.