1. API Authentication
APIs we interact with frequently contain private, personal, or sensitive data. To protect this sensitive information, APIs require clients to authenticate before granting access. Let's explore how authentication works.
2. Accessing sensitive data
The album API, which contains our private album collection, requires authentication to verify the request's origin. Attempting to access this protected API without proper identification will result in a 401 error indicating that we need authorization to access this API resource.
3. Accessing sensitive data
When we add information to the request to identify ourselves, the server knows it's us and responds as expected, with a 200 OK status code.
We have multiple options to add this information to an API request, let's learn the most common ones!
4. Authentication methods
Basic Authentication is the simplest form of API authentication. It uses a username and password for authentication. This method is easy to integrate but also the least secure, as it sends your password unencrypted over the internet to the server.
API Key or Token Authentication works by attaching a unique authentication key or token to each request. API keys are simple to implement but pose a security risk if compromised, as they also transmit unencrypted data.
JWT or JSON Web Token Authentication is similar to API key authentication, but the main difference is that a JWT token has a limited lifespan and can contain additional encrypted data, such as user information.
OAuth 2.0 is a comprehensive authentication framework that allows fine-grained access to resources without sharing any credentials.
Which authentication mechanism and credentials you have to use depends on the API server, the documentation of the API you're using usually contains information on how to authenticate.
Now, let’s learn how to use Basic and API Key Authentication with the requests package.
5. Basic authentication
To use basic authentication we need to add an authorization header to the request we are sending to the API. This header must contain a base64-encoded combination of our username and password. Base64 encoding is a two-way algorithm that anyone can easily decode, so unfortunately it provides no additional security.
Implementing basic authentication using the requests package is easy. Instead of adding a header and doing the base64 encoding yourself, you can just pass a tuple containing your username and password using the auth function argument, requests takes care of all the encoding and adds the header.
6. API key/token authentication
There are two common options to add the authentication token to our request. The first option is simply adding the API key to the URL as a query parameter. In this example, we add the access_token query parameter to the URL using the params function argument.
The second option is by adding an authorization header. This is usually the preferred method. For this the requests packages doesn't offer an out of the box method like for Basic Authentication, so we need to add the header ourself using the headers function argument.
7. Let's practice!
Cool, now we've learned how to use Basic and API key based authentication, let's practice!