What are API Credentials?
API credentials are unique identifiers that are required to access some API tools. Credentials are similar to API authentication, in that they provide a way for API owners to control who has access to their APIs, and they protect users from malicious usage. However, API credentials identify who is using the software, which is an important distinction for security.
What info is required for API Credentials?
Different APIs require different information and authentication from their users, but generally the required fields are:
- Name- Your name
- API password - a password string
- Auth token - the authentication token issued by the API
- API key - if a request doesn’t provide a token, it must offer an API key
- Status - Active or Inactive membership
- Actions - what level of permissions you have, ie record editing, project scope
What's the difference between API Credentials and API Authentication?
API keys authenticate an application accessing the API, without referencing an actual user, so the API knows the application, but doesn't know who the user is. There are a few solutions to this problem.
HTTP Basic Auth
HTTP Basic Auth creates a header called Authorization, and a Base64-encrypted username and password as credentials. A request with an HTTP Basic Auth header looks like this:
The Authorization string is a static string. It becomes an API key of sorts, has to be sent with every request, and is vulnerable to bad actors, all making it a less secure option of authentication.
OAuth solves the problems of HTTP Basic Auth by publishing an authorization server for each API that issues tokens. This server makes accounts for APIs, so the API owner knows who is using their services, and can enforce their rules and policies in their workspace. This also allows organizations to obtain keys on behalf of other users, and to open APIs based on "scope", or the specific needs for a project.
API Credentials are similar to API Authentication, but not the same. In the case of Authentication, the application knows what application is using it, while in the case of Credentials, the application (and its owners) know who is using it. This is an important distinction in the world of APIs, where endpoints are exposed and potential data breachers are a very real threat to both users and API service providers.