Crone Crone - 4 months ago 41
reST (reStructuredText) Question

REST API for internal consumption and authentication

When I use public APIs from web applications, I am provided with an API key that I use inside my client, as a string.

Now suppose I design a REST API for internal consumption. Let's say for a mobile app eshop. The user of the eshop logs in with a username and a password.

Does that mean that my client won't use API key authentication but username and password? I also see OAuth2 a lot in REST APIs, which also seems like a key-oriented authentication. Are they just different types, all valid ones? The API keys are usually issued for developers though, could that work with customers?


It could work and it's also what you will be seeing in many cases. You login with username and password (POST request) and the server returns you an authentication token which you store in a Cookie or Local Storage respectively through headers or JavaScript. When user specific information is being required you would be using that token to authenticate, similar to how OAuth2 and dev keys work.