Authentication: API Keys vs OAuth
Before any integration can read or write your data, it has to prove it is allowed to. The two most common ways of doing that are API keys and OAuth, and the right choice depends on what is being connected and on whose behalf.
This article explains both approaches in plain terms so the security choices in your project make sense.
The Two Approaches
Each method suits a different kind of connection.
- API key: a single secret string, simple but powerful, best for server-to-server links.
- OAuth: a flow where a user grants limited access without sharing their password.
- Scopes: OAuth can restrict exactly what the integration may do.
- Tokens: short-lived credentials that can be refreshed or revoked.
Choosing the Right One
We pick the method that gives the least access needed to do the job safely.
- Use API keys for trusted back-end connections.
- Use OAuth when acting on a user's behalf.
- Limit scopes to only what is required.
- Store and rotate credentials securely.
| Method | Best for | Key strength |
|---|---|---|
| API key | Server-to-server | Simple to set up |
| OAuth | User-granted access | Fine-grained and revocable |
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.