API authentication best practices
Verify the identify of a user or application.
Problem statement
Virtually all commercial APIs require consumers to authenticate themselves, in order to prevent unauthorized access, data breaches, and abuse. Freely available APIs that manage unsensitive data are also vulnerable to attacks that can compromise their availabilty, such as a denial of service attack. A authentication mechanism makes it easier to implement security measures such as rate limiting on a per-client basis.
It is also desirable for API products to track usage on a per user or per application basis, in order to discover and prioritize enhancements.
Success criteria
Security organizations are often viewed as cost centers, which can make tracking meaningful metrics for security features, like authentication, difficult. In the event of a breach, the quality of an authentication system can impact other incident response metrics.
Counter metrics ensure that the design and implementation of the authentication does not adversely impact other goals of the API, such as improving its developer experience.
| Goal | Signal | Metric |
|---|---|---|
| Improve API security | Number of data loss incidents | The number of security incidents involving data loss per quarter/year is 0. |
| Developer activation is not impacted | Time to hello world | The average time between a developer creating an account to successfully making an API request and obtaining a response is less than X hours/days. |
| API performance is not impacted | Request latency | The median or nth percentile of requests are served in under X milliseconds. |
Product requirements
All requests to the API should be authenticated, even where the requested data is non-sensitive, public information.
APIs should also distinguish whether clients must be confidential applications such as servers owned and operated by the customer, or unconfidential applications such as web or mobile applications.
User stories
Authentication can often be a stumbling block for new developers getting starting with an API. Depending on your API product, this may result in fewer developers converting into activated customers.
Your documentation's Getting Started guide should describe how to authenticate in clear, unambigous steps that anyone can follow.
It is good practice include a way for the developer to confirm that they have successfully authenticated, and track this step as part of the developer onboarding funnel.
Web or mobile applications should always be treated as untrusted, since their source code and network traffic can be access more easily by malicous actors.
Do not require customers to embed permanent credentials such as API keys or client secrets within such applications.
Security breaches may happen on either the provider's side and consumer's side. In the event of credentials leaking, the authentication mechanism should provide a means of immediately revoking any compromised credentials and reissue new ones to customers.
This implies that the authentication mechanism should require a non-confidential user or application identifier in addition to a confidential token, key or password, in order to enable business continuity in the event of a breach.
At a minimum, API access logs should record the "when, where, who and what" of each event. Take care not to output any sensitive information, such as API keys or PII.
When logging the user or application's identity, make sure that your authentication mechanism does not regard identity as sensitive information.
See Logging Cheat Sheet.
Security best practices for microservice architectures recommends that internal services authenticate with each other during service-to-service communication. This authentication mechanism should be designed so as not to impose a large overhead on the overall API request latency.
See Microservices Security Cheat Sheet for more recommendations.
Explore design patterns
HTTP authentication
Authenticate using username and password.
API key authentication
Authenticate using a unique key.
OAuth 2.0 authentication
Authenticate using an OAuth 2.0 flow.
API examples
Here are some examples of public APIs and their authentication mechanisms:
| API | Authentication mechanism |
|---|---|
| Salesforce Platform APIs | OAuth 2.0 |
| Notion API | Access token for internal integrations or OAuth 2.0 for public integrations |
| WhatsApp Cloud API | Access tokens |
| PayPal APIs | OAuth 2.0 |
| Stripe API | API key with Authorization: Basic |
| Razorpay APIs | HTTP Basic Auth |
| MongoDB Data API | API key via apiKey header |
| Zoho CRM REST APIs | OAuth 2.0 |
| Datadog REST API | API key via DD-API-KEY header. Some endpoints also require application key via DD-APPLICATION-KEY header. |
| Meraki Dashboard API | API key via Authorization: Bearer API_KEY |
| Pipedrive API | API token, or access token with OAuth 2.0 |
| Twilio Messaging / SMS API | HTTP Basic authentication |
| GitHub API | Authorization: Bearer with personal access token or token generated by an app |