Member-only story
REST API Best Practices: Authentication
Introduction
If you’re making an API that will be subscription based, you will need to have some kind of authentication. If you are planning to earn money from your API, authentication is a must.
The good news is that implementing proper authentication isn’t too difficult. What’s more difficult in my opinion is choosing the proper authentication method, and setting up usage plans and rate limiting.
The most common authentication method for APIs is token based. Tokens are usually passed in an HTTP header, although I have seen them passed in query parameters, or even in body parameters. I strongly encourage you to use only HTTP headers, and to make sure that your API only accepts request sent over HTTPS, so that all of the data (including your token) is encrypted in transit.
The HTTP header that is used for authentication can be either the Authorization header, or it can be a custom one which can be called pretty much anyway you like, although the most common ones are something like x-api-key which indicates that it will be used for authentication. If you call your authentication header I-Like-Burgers , your clients will probably be puzzled, so keep the custom header name as simple and indicative as possible.
