The first type of API authentication I'll talk about is HTTP Basic Authentication.
HTTP Basic Authentication is defined by RFC 7617. This document was created in September 2015 by the internet standards body known as The Internet Engineering Task Force (IETF). It replaces RFC 2617, which was created in 1999 and defined both basic and digest authentication.
Basic authentication is the simplest form of web authentication. It's a stateless protocol that doesn't require cookies, session identifiers, or login pages (like most other forms of web authentication today).
Basic authentication works as follows:
401 Unauthorizedresponse status and provides information on how to authenticate with a
username:password), base64-encoded, then added to the
Authorizationheader like so:
Authorization: Basic base64(username:password)
The server will receive this request, decode the authorization header, split on the colon, and use the credentials to validate the user has access to perform the operation.
When using HTTP Basic Authentication to secure APIs, its recommended the username and password be long, random strings rather than easy-to-remember names. Entropy means a "lack of order and predictability" and is very important for passwords, especially if you're generating them. The more random your password generation process is, the better. One important aspect is that the API username and password must not be the same username and password as the account's username and password. Not only are their security implications of using the same credentials but something as simple as clicking "forgot password" can knock your applications offline.
While basic auth is perfectly fine to use, one of its issues is that your username+password are sent over the network on every request. This increases the likelihood that they could be leaked, logged, or reused in other applications.
Basic authentication has other long term issues as well:
Several authentication schemes use the HTTP authentication framework. Schemes can differ in security strength and their availability in client or server software. All schemes use an
Authorization header followed by scheme name and a space character. Common scheme names include:
Basic authentication is easy to implement for APIs, but it's not often used in web applications because the login form can't be customized and "logging out" requires closing the browser.