Skip to content

General Authentication Related Information

Reading time 12 min

API Authentication Options

API authentication is the process of verifying that a user or application is authorized to access an API. There are many different API authentication options available, each with its own strengths and weaknesses. The APIsec platform provides a flexible mechanism to enable customers to authenticate to a large variety of APIs, regardless of the chosen implementation.

API Keys

API keys are secret tokens that are used to identify an application and grant it access to an API. They are typically generated by the API provider and given to the application developer. API keys are simple to use and implement, but they are also vulnerable to theft, as anyone who has the key can access the API.

OAuth 2.0

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account.

Authentication Options Supported in APIsec

APIsec supports a multitude of HTTP authentication schemes and options for authenticating users to web servers. The following authentication options are available in the "Environments" coniguration screen:

Authentication Screen

1. Basic Authentication

Basic authentication is the most basic form of HTTP authentication. It sends the user's username and password in plain text over the network. APIsec configuration looks like this:

Basic Auth

2. Bearer Authentication

Bearer authentication is a more secure form of HTTP authentication. It uses an access token to authenticate the user. The access token is a string of characters that is generated by the API provider and given to the application developer. The application then includes the access token in the Authorization header of each API request. APIsec configuration looks like this:

Bearer Token

3. JWT Authentication (JSON Web Token)

JWT authentication is a popular way to authenticate users and applications. It uses JSON Web Tokens (JWTs) to represent the user's identity and authorization claims. JWTs are signed by the API provider, which ensures that they are tamper-proof. JWTs are also self-contained, which means that they can be verified without making a request to the API provider. These tokens typically expire within a predetermined amount of time and therefore need to be refreshed regulary. APIsec configuration looks like this:

JWT

4. OAuth 2.0 Authentication

OAuth 2.0 is a popular option and the configuration settings look like this:

OATH2

5. Multi Step Authentication

A combination of several steps, where each step follows a specific path to ultimately retrieve authorization to access the API. Often the most flexible authentication option, the APIsec platform empowers customers to create and execute these steps in a script that returns the necessary keys. The image below shows how this is configured in APIsec:

CustomAuth

Example Header:

  Authorization: Bearer {{@Cmd | /tmp/Custom_Auth.sh UserA [[@Vault.UserA/Password]] }}

Note: The "Custom_Auth.sh" example script takes two input parameters, the username "UserA", and the vaulted password associated with the UserA user. The bearer token that is returned by the script is then replaced in the header.

6. Authentication in the Request Body (Less Common)

Steps to configure authentication in the request body

In most APIs, authentication credentials are submitted in the request header. However, some APIs may require credentials such as an authentication Key or a token or a session ID in the request body.

Here are the steps to configure credentials in the request body:

  1. Use existing authentication to configure credentials. Using the curl command, you may generate a dynamic token or use a static token to assign it to a header name such as Authorization or authenticationKey. Please refer to this documentation for more information on generating dynamic tokens: https://docs.apisec.ai/Token%20Generation%20Code/

  2. Depending on the credentials used in the playbooks, the credentials are substituted automatically in the request headers.

  3. Now, we can refer to these headers substituted in the request body and update the payload section. Navigate to the configurations, payloads, and Default tab and update the field in the request body that requires a token or an authentication key with the following syntax:

    { "authenticationKey": "{{@RequestHeaders.authenticationKey}}" }

Note: The authenticationKey is the header name we defined in Step 1.

  1. Lock and save the payload and regenerate playbooks.

  2. For ABAC, configure UserA and UserB credentials and update the payload within the same category, and regenerate playbooks.

  3. In the case of static tokens or keys, we can create variables with the following notation:

UserB.authenticationKey, and UserC.authenticationKey. Use the following syntax in the payload: {{@Var.authenticationKey}}. APIsec automatically substitutes the appropriate authenticationKey when executing a playbook using UserB or UserC credentials.

Authentication Troubleshooting