What are API Credentials?
API credentials are unique identifiers that are required to access some API tools. Credentials are similar to API authentication, in that they provide a way for API owners to control who has access to their APIs, and they protect users from malicious usage. However, API credentials identify who is using the software, which is an important distinction for security.
What info is required for API Credentials?
Different APIs require different information and authentication from their users, but generally the required fields are:
- Name- Your name
- API password - a password string
- Auth token - the authentication token issued by the API
- API key - if a request doesn’t provide a token, it must offer an API key
- Status - Active or Inactive membership
- Actions - what level of permissions you have, ie record editing, project scope
What's the difference between API Credentials and API Authentication?
API keys authenticate an application accessing the API, without referencing an actual user, so the API knows the application, but doesn't know who the user is. There are a few solutions to this problem.
HTTP Basic Auth
HTTP Basic Auth creates a header called Authorization, and a Base64-encrypted username and password as credentials. A request with an HTTP Basic Auth header looks like this:
http GET / HTTP/1.1
Host: abstractapi.com
Authorization: Basic ZGFuaWVsOnBhc3N3b3Jk
The Authorization string is a static string. It becomes an API key of sorts, has to be sent with every request, and is vulnerable to bad actors, all making it a less secure option of authentication.
OAuth
OAuth solves the problems of HTTP Basic Auth by publishing an authorization server for each API that issues tokens. This server makes accounts for APIs, so the API owner knows who is using their services, and can enforce their rules and policies in their workspace. This also allows organizations to obtain keys on behalf of other users, and to open APIs based on "scope", or the specific needs for a project.
Conclusion
API Credentials are similar to API Authentication, but not the same. In the case of Authentication, the application knows what application is using it, while in the case of Credentials, the application (and its owners) know who is using it. This is an important distinction in the world of APIs, where endpoints are exposed and potential data breachers are a very real threat to both users and API service providers.
Frequently Asked Questions
What are API credentials?
API credentials are unique identifiers that are required to access some API tools. They identify who is using the software, helping API owners control access and protect against malicious usage.
How do API credentials work?
API credentials are supplied with each request so the API can identify the user behind it. Depending on the method, they take the form of a username and password, an API key, or an auth token that the API checks before granting access.
What is the difference between API credentials and API authentication?
API credentials let the API know the actual person using the software. API authentication identifies the application making the request without referencing the individual user.
What information do API credentials usually include?
Credentials commonly include a name, an API password, an auth token, and an API key that is used when a request does not provide a token. They can also carry a status, such as active or inactive, and actions that define permission levels like record editing or project scope.
What is the difference between HTTP Basic Auth and OAuth for API credentials?
HTTP Basic Auth creates an Authorization header with a Base64-encrypted username and password, but it is less secure because the authorization string is static and must accompany every request, leaving it vulnerable to bad actors. OAuth addresses this by using authorization servers that issue tokens, letting API owners know who is using their services and enforce policies based on a project's scope or needs.
Why do API credentials matter for security?
API credentials let owners control who can access their tools and protect users against malicious usage. Token-based methods like OAuth improve on static credentials by issuing tokens and enforcing access policies based on a project's scope.
