REST API Authorisation

If you try to access a REST URL and in response, you get 401 unauthorized, then we need to send an Authorization header in the request.
There are many ways to authorize a REST request. In this article, we will cover What are some major Authorization schemes, there pros and cons and how to use them.

Important: Always use APIs that need authorization over HTTPs, so there is always a secure encrypted channel between client and server and someone snooping over your request in between cannot extract these sensitive information.

Basic Authentication

It can be considered the simplest form of Authorization. You need to pass base64 encoded user credentials in request headers.

Authorization: base64(<Username>:<Password>)

It’s not at all recommended way to do auth, especially on the client-side. Over an unsecured HTTP channel, your username and password can be easily extracted, compromising your whole account.

For third-party APIs, it compromises the account details (username and password) if the call is being made client-side.
Example: Let’s assume you own app ‘A-app’ and you are using APIs of another service ‘B-service’. Now you have a paid account for using B-service and the authorization for REST APIs this platform provides is basic authentication.
Now, if you are making direct calls to B-service from the A-app frontend then the authorization header is exposed to the public and your account for B-service can be compromised.

API keys

API Keys are also used for Authorizing applications to use third-party services like google maps for instance. Instead of a user, an API key represents an application.
An API key can be passed as customer header (x-api-key), query param, or even in the authorization header (basic <API key>)

API keys can only be used to authorize applications and not users. Also you need to restrict the use of API key to some domains as otherwise that can easily be capture from browser dev tools and be misused.

Bearer Authentication

Bearer authentication uses a token issued by a server and is short-lived. This token is usually a JWT which expires after certain period of time, which makes it more secure than Basic Auth and API keys.

Authorization: Bearer <token>

Since these tokens are short-lived, they cause inconvenience to users asking them to login again after token expiry inorder to get new token.
This reduces user experience.
To mitigate this Refresh tokens are used. The authorization server sends a refresh token along with Bearer token. Resfresh token can be used anytime to get a fresh bearer token. Since refresh token is valid for long duration it brings down the security aspect of Bearer tokens but provides better user experience.

Popular OAuth based authentication workflows also provide bearer tokens.

And, that’s all for this article.