How to authenticate to REST APIs?

Overview

Authentication is a critical component of internet security, and any REST API that lets clients access or modify sensitive or critical data must have an authentication system in place.

If you want to integrate with a REST API, you will need to account for this. There are two major methods for authentication: username and password, otherwise known as basic authentication, or OAuth, which lets you authenticate with an access token that represents an authorized account.

Type of authentication

REST APIs can support either of these methods of authentication.

Basic Authentication

With Basic authentication, access is typically binary, i.e. either you can access all account data and functionality or none of it, and access can typically only be revoked by changing the user’s password.

OAuth Authentication

With OAuth authentication, access tokens often represent both an authorized account and a set of scopes that provide access only to specified data and functionality. The current standard is the OAuth 2.0 framework, which enables a third-party application to obtain limited access to an HTTP service on behalf of a resource owner.

Conclusion

OAuth is by far the preferred method because it offers much better security than basic authentication. This makes it much easier to grant and revoke access to the resources a REST client needs.

It does this by orchestrating an authentication between the resource owner and the HTTP service.

Once this has been completed, the REST client can use the access token in a bearer authentication header, this type of authentication should only be done over HTTPS (SSL).