Understanding API Authentication with Tokens

Posted by admin at June 24, 2019

Authenticating API client requests is a fundamental feature of any functional stateless system. APIs are stateless in the sense, they do not maintain persistent sessions for client connections and requests. So for every request made to the server, the server has no way of knowing where this request is coming from even if the requests were originated by the same user on the same client. Compare this with persistent sessions when working with unstacked systems (applications without APIs), where the user logs in and a permanent session is created and maintained throughout till logout.

One of the simplest ways of sorting out authentication with API’s is the use of token. API Tokens serve as very long passwords used by a client to identify every single request it originates. This token is initially created by the server and issued to the client and is maintained by the server for client use throughout a certain portion of time. This portion of time can be seen as a stateless session time.

Below is a simple conceptualisation of the mechanism:

// Trial 1 client requests data without authentication credentials
Unkown: I need a list of registered helicopters
API: Sorry, I dont know you.

// Trial 2: client sends incorrect credentials
Unkown: I am Blink Wiki blinkwiki@mailserver.com
API: Your ID is not valid

// Trial 3: client send correct credentials provided by the user
Unkown: I am Blink Wiki username blinkwiki@mailserver.com, password: blink
// API verified credentials and returns a "machine password", the API token
API: Ok. Access Granted, Blink Wiki. Here is your facility ID 483973gbo8fo7367543fyb43fo8376qi43ub3i74f3.
API: Please use it for all requests.

// Trial 4: Client requests data without token
Unkown: I need a list of registered helicopters
API: Sorry, I dont know you

// Trial 5: Client requests data with the token
Unkown: I need a list of registered helicopters, Here is my ID 483973gbo8fo7367543fyb43fo8376qi43ub3i74f3
API: Hi Blink Wiki, have a seat, let me print you a copy.

As you can see, this method is very simple and has its own security flaws, a major one is that if an authorised API request or client is compromised and the token stolen by a third party, the API will also authorise requests from this unknown impostor. To counter this, there are more robust methods of implementing API request authentication such as OAuth1 and OAuth2.


Suggested Read