API Authentication methods
APIs are used for machine to machine data exchange. When a machine tries to access the data from the application, the machine needs to identify itself. The machines can identify themselves in broadly one of the following ways:
- API Key
- Basic Authentication
- OAuth2 Authentication
API Key
The source application provides a static API key and the caller has to present this API key while fetching the information. Leaking of the API keys is equivalent to leaking of the credentials.
Basic Authentication
In Basic Authentication, the caller needs to present the username and password to access the data.
OAuth2 Authentication
In OAuth2, the caller needs to generate a access token (which is temporary) and pass the generated access token to the application to fetch the data. This is one of the most secure methods to fetch the data.
OAuth2 is a standard spec and the security can be further enhanced with additional properties (Refer to the High Security OAuth in OAuth2 spec)
In addition to security, OAuth2 also allows you to have a fine grained access control on your resources.
Comparison of Authentication types
Which Auth method should I use?
Depending upon your application, one or more auth methods might be allowed. Our preference in order of security is:
- OAuth2
- Basic Auth
- API Key
Custom Authentication
We have often seen applications implementing their own authentication methods or the apps being partially compliant with the OAuth2 spec. With custom auth, the users need to be clear of the security impact and the best practices for such methods.
