Over the past couple of days, I’ve been learning about API authentication . After experimenting with several methods and creating a small project, I thought it’d be a great idea to share my learnings. In this post, we’ll cover:
Let’s get started!
In most cases, we don’t want our private API to be open to just anyone. Authentication helps ensure that only authorized users or clients can access our API. Additionally, authentication helps in limiting the number of requests, keeping track of users, and protecting sensitive data.
But what about APIs that don’t require authentication? You can still secure them to some degree by using rate limiting, which limits the number of requests a user or IP can make within a certain time frame. This is useful when you’re serving static data or don’t need heavy protection.
Now, let’s dive into the three main types of API authentication: Basic Authentication, API Key Authorization, and Token-based Authentication.
Basic authentication involves sending a username and password encoded in Base64 with each API request. While simple to implement, it’s not very secure since the credentials are passed with every request.
I used the Secrets API for this example. First, I registered a user by sending a POST request with the following data:
{ "username": "arka", "password": "221855" }
After successfully registering, I logged in using Postman to send the username and password in the request headers:
GET https://secrets-api.appbrewery.com/all?page=1
This returns a list of secrets stored by the user.
Here’s how I implemented basic authentication in my Node.js app using Axios:
// Basic authentication route app.get("/basicAuth", async (req, res) => { try { const result = await axios.get(API_URL + "/all?page=2", { auth: { username: myUsername, password: myPassword, }, }); res.render("index.ejs", { content: JSON.stringify(result.data) }); } catch (error) { res.status(404).send(error.message); } });
API Key Authorization allows access to an API by passing a key (generated for the user) with each request. This key is used to track the client making the request and can often be tied to rate-limiting or billing.
A key distinction to remember:
With API Key Authorization, you typically get an API key like this:
GET https://secrets-api.appbrewery.com/generate-api-key
After receiving the API key, you can use it to make authorized requests:
GET https://secrets-api.appbrewery.com/filter?score=5&apiKey=generated-api-key
Here’s how I implemented API Key Authorization in my app:
// API key route app.get("/apiKey", async (req, res) => { try { const result = await axios.get(API_URL + "/filter", { params: { score: 5, apiKey: myAPIKey, }, }); res.render("index.ejs", { content: JSON.stringify(result.data) }); } catch (error) { res.status(404).send(error.message); } });
Token-based authentication is more secure than the other methods. The user logs in using their credentials, and the API provider generates a token. This token is used for subsequent requests instead of passing the username and password every time.
This method is commonly used in OAuth, and the token is often valid for a limited time. This is especially useful when third-party apps need to interact with a user's data, like using Google Calendar from another app.
First, I registered and obtained the token:
POST https://secrets-api.appbrewery.com/get-auth-token { "username": "jackbauer", "password": "IAmTheBest" }
Once I received the token, I used it for future requests:
GET https://secrets-api.appbrewery.com/secrets/1
Here’s how I implemented token-based authentication in my app using Bearer Tokens:
// Bearer token route const config = { headers: { Authorization: `Bearer ${myBearerToken}` }, }; app.get("/bearerToken", async (req, res) => { try { const result = await axios.get(API_URL + "/secrets/2", config); res.render("index.ejs", { content: JSON.stringify(result.data) }); } catch (error) { res.status(404).send(error.message); } });
To wrap up my learnings, I created a small web app that implements all four types of API requests (no authentication, basic auth, API key, and token-based). The app features four buttons, each triggering a different type of request.
Here’s a sneak peek of how I set up the routes and buttons in the app:
// No authentication route app.get("/noAuth", async (req, res) => { try { const result = await axios.get(API_URL + "/random"); res.render("index.ejs", { content: JSON.stringify(result.data) }); } catch (error) { res.status(404).send(error.message); } });
You can find the full code for the app here: GitHub Repo.
Cette application démontre l'importance de l'authentification API et comment elle peut être implémentée à l'aide de Axios pour gérer les requêtes dans un environnement Node.js.
En travaillant sur ce projet, j'ai rencontré des problèmes d'envoi de requêtes via Axios, notamment avec l'authentification de base. Après quelques recherches, j'ai trouvé un article utile sur StackOverflow qui a dissipé ma confusion. Si vous rencontrez des problèmes similaires, assurez-vous d'y jeter un œil !
Comprendre l'authentification API est essentiel pour protéger votre API contre les utilisations abusives et limiter les accès non autorisés. En mettant en œuvre une authentification de base, des clés API et une autorisation basée sur des jetons, vous pouvez protéger votre API et garantir qu'elle est utilisée de manière responsable.
Principaux points à retenir :
J'espère que cet article vous a aidé à comprendre les différents types d'authentification API ! N'hésitez pas à poser vos questions ou commentaires dans les commentaires ci-dessous. Bon codage ! ?
The above is the detailed content of A Beginners Guide to API Authentication: From Basics to Implementation. For more information, please follow other related articles on the PHP Chinese website!