API Keys vs HTTP Authentication vs OAuth in a RESTful API

Shauna picture Shauna · Jul 20, 2011 · Viewed 41.5k times · Source

I'm working on building a RESTful API for one of the applications I maintain. We're currently looking to build various things into it that require more controlled access and security. While researching how to go about securing the API, I found a few different opinions on what form to use. I've seen some resources say HTTP-Auth is the way to go, while others prefer API keys, and even others (including the questions I found here on SO) swear by OAuth.

Then, of course, the ones that prefer, say, API keys, say that OAuth is designed for applications getting access on behalf of a user (as I understand it, such as signing into a non-Facebook site using your Facebook account), and not for a user directly accessing resources on a site they've specifically signed up for (such as the official Twitter client accessing the Twitter servers). However, the recommendations for OAuth seem to be even for the most basic of authentication needs.

My question, then, is - assuming it's all done over HTTPS, what are some of the practical differences between the three? When should one be considered over the others?

Answer

Sid picture Sid · Jan 17, 2012

It depends on your needs. Do you need:

  • Identity – who claims to be making an API request?
  • Authentication – are they really who they say they are?
  • Authorization – are they allowed to do what they are trying to do?

or all three?

If you just need to identify the caller to keep track of volume or number of API Calls, use a simple API Key. Bear in mind that if the user you have issued the API key shares it with someone else, they will be able to call your API as well.

But, if you need Authorization as well, that is you need to provide access only to certain resources based on the caller of the API, then use oAuth.

Here's a good description: http://www.srimax.com/index.php/do-you-need-api-keys-api-identity-vs-authorization/