Hey readers,
In our last post, we designed a beautiful, well-organized API that was as clean as a library. But there’s a problem: the front door is wide open. Anyone can walk in, read the books, write on the walls, and rearrange the shelves.
An API without security is just a liability. Before you can let your API out into the world, you need to be able to answer the fundamental question: “Who are you?” This process is called Authentication.
Authentication is all about verifying identity. It’s the bouncer at the door checking IDs. There are many ways to do this, each with its own trade-offs between simplicity and security.
Let’s use an analogy: you need to get into a secure building. Here are four different types of “keys” you might use, from simplest to most sophisticated.
1. API Keys (The Key Under the Doormat)
This is one of the simplest forms of authentication. You generate a long, unique string of characters (the API Key) for each client application. The client then includes this key in every request it makes.
-
Analogy: You give your friend a spare key to your building that you leave under the doormat. Anyone who finds that key can get in, but it’s better than leaving the door unlocked.
-
How it works: The client usually sends the key in a custom HTTP header, like
X-API-Key: <your_api_key>. The server checks if the key is valid. If it is, the request proceeds. -
When to use it: It’s great for simple, public APIs where you want to track usage or perform basic rate limiting (e.g., a weather data API). It identifies the application, not necessarily the user.
-
Downside: If the key is ever leaked, an attacker has full access until the key is revoked.
2. Basic Authentication (Showing Your ID Every Time)
This method uses a standard HTTP header to send a username and password with every single request.
-
Analogy: This is like having a security guard who asks for your driver’s license every time you walk through the door, even if you were just there two minutes ago.
-
How it works: The client takes the username and password, joins them with a colon (
username:password), base64 encodes them, and sends them in theAuthorizationheader.Authorization: Basic <encoded_string>. -
When to use it: It’s simple to implement and is built into the HTTP standard. However, it’s not very secure unless used exclusively over HTTPS, because the credentials are sent with every request.
-
Downside: Sending credentials on every call is risky. It’s rarely used in modern web applications but can be useful for simple server-to-server integrations.
3. Session-Based Authentication (The Temporary Keycard)
This is the classic way most traditional web applications handle logins. It’s stateful, meaning the server has to remember the user between requests.
-
Analogy: You show your ID to the security guard once. In return, they give you a temporary keycard that works for the rest of the day. Now you just swipe the keycard to get in, without showing your ID every time.
- How it works:
- A user sends their username and password to the server.
- The server verifies them, creates a “session,” and stores the session ID in its memory or database.
- The server sends the session ID back to the client, which stores it in a cookie.
- On all future requests, the browser automatically includes the cookie. The server uses the ID to look up the session data and identify the user.
- Why it matters: This is a huge improvement over Basic Auth because the user’s actual password isn’t sent with every request. It’s a proven, reliable method for web applications.
4. JWT (JSON Web Tokens) (The Self-Contained Access Pass)
This is the modern, stateless approach to authentication, especially popular with Single-Page Applications (SPAs) and mobile apps.
-
Analogy: Instead of a simple keycard, the security guard gives you a special, laminated access pass. The pass itself contains your photo, your name, and a list of areas you’re allowed to access (e.g., “Floors 1-3”). It’s also been stamped with a special seal that’s impossible to forge. The guard doesn’t need to look you up in a computer; they can just look at the pass itself to know who you are and what you’re allowed to do.
- How it works:
- A user logs in with their credentials.
- The server generates a JWT. This token is a string of characters that contains information (the “payload,” e.g.,
userId: 123) and is digitally signed with a secret key. - The server sends this token to the client. The client stores it (usually in local storage) and includes it in the
Authorizationheader of every request (Authorization: Bearer <token>). - The server can verify the token’s signature to ensure it hasn’t been tampered with. It can then get the user’s ID directly from the token’s payload without needing to look up a session in a database. This is stateless.
- Why it matters: Because the server doesn’t have to store session information, JWTs are fantastic for APIs and microservices. Any server with the secret key can verify the token, making it easy to scale your application horizontally.
What’s the next move?
Challenge: Go to the website of a service you use (like Twitter, GitHub, or Spotify). Log in, then open your browser’s developer tools. Look at the “Network” or “Storage” tabs. Can you find the “key” they use to authenticate you? Is it a cookie with a session ID? Is it a JWT in Local Storage?
Seeing how the pros implement these patterns is the best way to understand them.
Thanks for reading!
Bou~codes and Naima from 10xdev blog.