In this article, we will discuss API authentication methods. Before that, you have to understand the meaning of the word Authentication. Later on, you will get a detailed description of different API authentication methods. Before understanding the meaning of authentication more important thing is you should be aware of what isn’t authentication. There is another term authorization you should be aware of. One thing that is crucial to keep in mind is that you can’t rely on only a single authentication method. So that is why there is a need for a variety of API authentication methods. So without wasting time let’s come to the point.

What is Authentication and how different from Authorization?

In simple words, Authentication is a process that checks or verifies the identity of a user who tries to access any network, system, or device. Some access control mechanisms usually verify the username and password to get the identity of the user. For example, to access your email you have to provide credentials such as a username and password to log in. If the credentials are correct you are allowing the website to know who are you and it is your identity that is accessing the website. Some other examples are four or six-digit passcode for mobile unlocking and login passwords for your computer. Now day’s biometrics is used for smartphones. Whereas Authorization is a process that determines the rights associated with a particular identity, which means what a user can do.

Why is Authentication needed?

According to you why do we require authentication? What do you think about it? Let me help you to understand. Say you have access to some important information and others shouldn’t have to know about it because such a situation can lead to harm to you. So the kind of way that doesn’t allow unauthorized people to access your sensitive information is authentication and we want it. Authentication is very important in today's scenarios because nowadays there is a lot of increase in cybercrime. When authentication isn’t secure then the hacker mainly tries to get system access and steal sensitive information. There are a few examples of cybercrimes like Equifax, Adobe, and Yahoo data breach due to poor authentication.

What are the different types of Authentication?

Due to increased cyber attacks, different types of authentication methods have been developed. Let’s have a look at them.

• Password authentication
• Two-Factor authentication
• Multi-Factor authentication
• Certificate authentication
• Token authentication
• Biometric authentication
• Transaction authentication
• Computer Recognition authentication
• CAPTCHAs
• Single Sign-on

What is API Authentication and why does it matter?

So till now, you have gained knowledge about what is Authentication and why it is important. Now the next question arises what is an API. API is a software protocol and you can say it is a tool using which clients and servers communicate. But how the server will come to know that the client is a real one. API Authentication is a process that certifies the user identity when trying to access server resources. In simple words, you can say API is a way to request data or receive data from an endpoint. API authentication protects malicious data submission and acts as a security layer.

API Authentication methods

We are having numerous API authentication methods. A few of them are mentioned here and discussed in detail as follows:

• HTTP Basic Authentication
• API Key Authentication
• OAuth Authentication
• OAuth 1.0
• OAuth 2.0
• Bearer Authentication
• OpenID Connect
• LDAP Authentication Advanced
• Digest Authentication
• Hawk Authentication
• AWS Signature
• NTLM Authentication
• Akamai EdgeGrid

Let me introduce each of these API authentications

HTTP Basic Authentication

It is simpler Authentication but you can’t give your password to someone else. The technique used for this method makes use of Base64 encoding. The username and password are combined to form a value. The HTTP header Authorization is used to pass the single value formed from username and password. Whenever a user makes a request the server on checking the Authorization header makes a comparison of it with credentials stored in its system. The client request is fulfilled if the credentials and header details match. On the other hand, if there is a mismatch in credentials and header details then a request denied message is sent and authentication is failed. You can say this Authentication is used for checking Proxy-Authorization. In other words, you can consider this authentication such as you just have to send a username and password for the API call. For instance, Mailchimp and Twilio use Basic Authentication. This method is used by HTTP and HTTPS requests. Such a method is used for web applications to apply protection over them using single password protection. This method can’t be used without SSL but can combine with other security methods.

Input Variables:

• Username
• Password

API Key Authentication

The key Authentication method makes use of an API key to provide access to a particular service and routine. This method was introduced to overcome the shortcomings of HTTP basic authentication as the credentials were shared. In this method, you can make use of an API key that consists of a series of letters and numbers. You have to combine the request header or request a URL with the API key. To gain access to data users make use of the API key and the server checks the identity of the user. The public key and private key can be used according to need. Public keys lemmatize the number of users to access a particular function and private keys work like a password. This method is highly secure and reliable as a unique key is used. Stripe and Sendgrid make use of API keys. It is used by both HTTP and HTTPS protocols. In case when initial authentication fails this method provides limited access also.

For more security you have to follow some important points as follows:

• Always try to use the HTTPS protocol
• Try to make use of a simple API key
• Do try to avoid exposure to information using URLs.
• Make use of hash passwords.
• Remember to use parameter validation.

Input Variables:

Key: This is the name of the key that API uses as an identifier in the parameters. Most of the API uses token as the key

Value: This contains the unique generated for your users.

Both of the input variables can be passed either in the header or as a query parameter depending on the API that you’re using.

OAuth Authentication

This method makes use of authentication and authorization together. It came into existence in 2007. It allows applications to communicate with the API server to gain access. In this method, token-based authentication is requested. The client sends its request to the authentication server to process it. This approach is very secure and powerful as compared to others. It is used by various clients and applications. This method makes use of time-limited tokens. It is compatible with the HTTPS protocol. In this method, you just have to press the sign-in button to grant permission and quickly the app authenticates the user request. This method provides you with the best user experience. Google, Facebook, and Twitter use this method. The idea behind using OAuth is that the end-user needs not to share its credentials with anyone.

OAuth1.0

It is revised to OAuth1.0A. It is also known as the Digest Authentications Scheme. It is completely secured, tested, and very popular authentication. This method is based on signatures and makes use of the cryptographic signature. The signature used in this method is a combination of token secret, nonce, and information requested by the user. You can use this method with or without SSL. This version is more complicated as compared to OAuth2.0.

Input Variables:

Signature Methods: OAuth1.0 different signature methods like HMAC-SHA1, HMAC-SHA256, HMAC-SHA512, RSA-SHA1, RSA-SHA256, RSA-SHA512, and PLAINTEXT.

Consumer Key: It is a value used by the Consumer to identify itself to the service provider.

Consumer Secret: This is a secret value used by the Consumer to establish ownership of the Consumer Key

Access Token: This is a unique value defined for a period of time to authenticate the user.

Token Secret: Similar to Consumer Secret this is a value used to establish the ownership of the Access Token

Private Key: This is an RSA key in PEM format used for signing the request.

Callback URL: This is a URL where the user will be redirected after the authentication is done.

Verifier: This is a verification code given by the service provider after the authorization.

Nounce: This is a random string generated by the API consumer.

OAuth2.0

It provides 4 types of grants. In this technique, you needn't make use of keyed hash for making each call. It makes use of two tokens the access token and the refreshes token. This method is best in case of identifying a personal user and granting him any access. This authentication method allows the third party to gain limited access to an HTTP service. This method is more secure as it makes use of a token that is revoked after some time. This is a more powerful authentication as attackers aren’t able to use the same token again. Try to make use of this method with flows enabled so that it can support server to server and device authentication. This method works with four flows which are authentication code flow, implicit flow, resource owner password flow, and client credentials flow.

Input Variables:

Callback URL: This is a URL where the user will be redirected after the authentication is done.

Auth URL: This is the endpoint for the authorization server. This is used to get the authorization code.

Access Token URL: The endpoint for the authentication server. This is used to exchange authorization codes for access tokens.

Client ID: It is a unique value used by the Client to identify itself during the application registration process.

Client Secret: This is a secret value issued to the client during registration.

Scope: The scope of the access request like reading, writing, etc.

State: It is a unique value used to prevent cross-site forgery.

Bearer Authentication

In this method, you can make use of security tokens called bearers. This method is also known as Token Authentication which makes use of HTTP authentication. The token used in this technique is a cryptic string that allows the user to access particular resources and URLs. The bearer token is provided by the server when then the user requests a login. To request protected resources, the client sends the token to the authorization header. It is used only by HTTPS protocols. In RFC-6750 this authentication was generated as part of it.

Input Variables:

Token: This is a unique token generated by the API server for the consumer.

OpenID Connect

It is a plug-in that is available for many customers and gives support to various credentials like:

• Signed JWT Access Tokens
• Opaque access Tokens
• Session cookie credentials
• Authorization Code using OpenID
• Client ID and secret for credential grant
• Username and password for password grant

This method acts as a relying party and proxy for OAuth 2.0 resource users. It acts as an identity layer on the top of OAuth2.0. This method verifies the identity based on authentication of the authorization server. It is used to verify end-user identity based on authentication which makes use of a JSON web token called ID token. The authorization server also reveals the profile information of the end-user. This authentication makes use of JSON to specify a RESTful HTTP API. You can make use of this method to get information about the authenticated session.

This method is used by web-based, mobile, and JavaScript clients. An additional feature of this method includes encryption of identity data, OpenID provider’s information, and management of sessions. This method makes use of a Sign-in flow that provides useful information like username and email id. In OpenID connect there is an OpenID Connect discovery in which the server of OpenID publishes metadata.

JWT is used in this method having the following features:

• It is a JSON web token that is open and based on industry-standard RFC 7519.
• It is easy to use and set up.
• In this token, manual management of token creation is a must task as it is used for a secure representation of claims between two parties.
• It is more secure than API key authentication as it allows you to decode and verify JWT.

Input Variables:

JWT: This is a unique token generated by the server, the consumer needs to pass this token with every request.

LDAP Authentication Advanced

This authentication method is provided by Kong Enterprise which enables LDAP bind authentication. This method enables service, route, or previous versions of Kong. It acts as a global plug-in and runs after receiving a request. This technique provides limited access to an anonymous user when authentication fails.

Input Variables:

DN: This is a unique string assigned to a client to identify them uniquely. Password: This is the password that is required when authenticating.

Digest Authentication

In this method, the client requests API. The server in the response to the request provides nonce, a real value, and a 401 unauthorized response. After that, the user sends back an encrypted data array containing the username, password, and server response data. The server compares the user request with an encrypted string made from data sent by the user. This method is used by web servers to negotiate credentials. Such type of method is useful in cases where there is a need to confirm user identity before sharing sensitive information with him.

It is used by various online banking systems. A hash function is applied to the username and password. It uses HTTP protocol and reversible Base64 encoding. This method was developed by Phillip Hallam, a banker at CERN in 1993. This scheme uses MD5 cryptographic hashing and nonce to protect the user from a replay attack. In this method, the server isn’t provided with a clear password. This method reduces the chances of Phishing. Digest authentication can be attacked through man in a middle attack. This scheme uses a less strong password hash.

Input Variables:

Username

Password

Realm: This is a string specified by the server in the WWW-Authenticate response header. It should contain at least the name of the host performing the authentication and might also indicate the users who have the access.

Algorithm: It supports different algorithms like MD5, MD5-sess, SHA-256, SHA-512, SHA-512-sess, SHA-512-256, SHA-512-256-sess.

qop: It indicated the quality of protection applied to the message.

Client Nonce: This is an opaque string provided by the client to be used by both client and server to avoid plaintext attacks.

Hawk Authentication

This method makes use of partial HTTP request cryptographic verification, request URI, and host. You have to enter Hawk Auth ID, Auth key, and algorithm fields. In this method, the MAC (message authentication code) algorithm is used to make an HTTP request. It makes use of user credentials including the identifier and key to be used in the MAC algorithm. To apply the hawk scheme you need to provide a shared symmetric key to the client and server. The shared credentials are provided through a TLS-protected phase. This method is used to improve basic HTTP authentication.

Hawk authentication is used to secure the credentials and avoids exposure to a malicious server. To provide secure communication this method makes use of timestamps. The client needs a token id and key from the server to sign the requests. Hawk authentication can be used in pyramid applications and node.js express apps. The real-time use example of hawk authentication is in Mozilla services. This method is compatible with drupal8. Its first version was provided by Eran Hammer in November 2012.

Input Variables:

Hawk Auth ID: It is similar to Client ID in OAuth, it is a unique value assigned to API consumers.

Hawk Auth Key: Similar to API Key generated using algorithms for the consumers.

Algorithms: It supports multiple algorithms like Sha256 and SHA1.

AWS Signature Authentication

This authentication is used in Amazon web Services. It makes use of a custom HTTP scheme that is based on keyed-HMAC for authentication purposes. Other parameters followed in this method are the AWS region, service name, and session token.

AWS signature authentication allows:

• To verify the identity of the requester.
• To provide in-transit data protection.
• To protect the reuse of signed portions of requests.

In this method, authentication information can be provided by either an HTTP authorization header or using query string parameters. First of all, you have to send an authentication request including a signature. In AWS authentication you needn't use a secret access key to sign any request. Instead of using its secret access key, this method makes use of a secret access key to create a signing key. The signing key remains under a specific domain and never gets expired. On receiving an authentication request, the Amazon server recreates the signature. The request is accepted if both signs are matched, otherwise, the request is rejected.

Input Variables:

Access Key: This is the key generated from the AWS console.

Secret Key: This is the secret generated from the AWS console.

NTLM Authentication

It is an authorization flow used in the windows operating system and for standalone applications. This method is also known as Windows challenge/Response. Few other advanced parameters to be used for this authentication are domain and workstation. It is used for login authentication and makes use of a domain name, user name, and a hash of the user’s password. In this scheme, you needn't send a user password for authentication purposes.

NLTM authentication uses two systems as follows:

• Client system- is used for making authentication requests.
• Domain controller- it saves information related to user password.

In the case of non-interactive authentication, you only need the client, server, and domain controller. In this method, the user provides some information to the client's computer like domain name, password, and user name. In return, the client computer generates the cryptographic hash. The client sends a username in the form of plain text to the server. The server creates a nonce and sends it back to the client. New secured NTLMv2 is introduced which protects against brute-force and replay attacks. This method is used by windows NT4.0 OS as the default network authentication protocol. This authentication protocol is created by Microsoft and initially was a proprietary protocol. It is used as an SSO (single sign-on) process that uses MD4 for password encryption.

Input Variables:

Username Password

Akamai EdgeGrid Authentication

This is used as an authorization helper which is developed by Akamai. To use this method you have to enter the access token, client token, and client secret. You need to make a proper authentication request to use this method.

Input Variables:

Access Token: This is the token generated by the server which defines the privileges of a user.

Client Token: It is a unique value used by the Client to identify itself during the application registration process.

Client Secret: This is a secret value issued to the client during registration.

HMAC Authentication

This is known as hash-based message authentication. In this method, an authentication code is generated with the combination of a secret key and hashing function. The authentication method is used for checking the message's authenticity and integrity. The method is used mostly by Amazon Web Services. This method uses two important things as first is a secret key and the second is a key identifier. The authentication method signs the whole request which can have MD5. To use this method you needn't use SSL. The method is similar to digital signatures.

Input Variables:

X-CT-Authorization: This is a combination of Public Key and Signature appended after CTApiV2Auth.

Conclusion

Here in this article, we have shared many API authentication methods with you. Do try to find which method is most suitable for you? There was a survey of more than 100 APIs and it was discovered the most widely used method is OAuth 2.0. Basic authentication is also a good choice but it is more vulnerable to attacks because it doesn’t make use of any encryption. In some cases users also make use of OpenID connect which is OAuth2.0 based. The popularity of Oauth2.0 is due to the reasons that it is easy to use and provides scalable security by making use of RSA encryption. The implementation cost is even also low.