API Authentication: Keys, OAuth 2.0, and JWT Explained
API authentication verifies that the caller is who they claim to be and has permission to access the requested resource. Different authentication methods suit different use cases — server-to-server integration, user-delegated access, and end-user authentication each have appropriate approaches.
API Keys
The simplest authentication method: a unique secret string included in every request (typically in a header: Authorization: Bearer sk_live_xxxx). API keys identify and authenticate a specific client. They are appropriate for server-to-server API access where the key is kept secret on the server.
API key risks: if exposed, any caller can use them — they must never appear in client-side code, repositories, or logs. Rotate compromised keys immediately.
OAuth 2.0
OAuth 2.0 is the standard framework for delegated access — allowing users to grant third-party applications limited access to their accounts on other services without sharing their passwords. When you "Login with Google" or connect your Shopify store to your accountancy software, OAuth 2.0 is the mechanism.
The OAuth flow: user is redirected to the authorisation server, grants permission, receives an authorisation code, which is exchanged for an access token, which is used to call the API on the user's behalf.
JWT (JSON Web Tokens)
JWTs are self-contained tokens carrying claims (user ID, roles, expiry) cryptographically signed by the issuing server. The receiving API validates the signature without calling the authentication server — making JWT stateless and highly scalable. JWTs are commonly used for session tokens in API-driven applications.