- Read Tutorial
- Watch Guide Video
As a quick review, remember that API stands for Application Programming Interface. APIs are essential tools that lets 3rd party applications communicate with other apps. An example would be posting a link on Twitter and having it auto-post on Facebook. In order to make this type of functionality possible Twitter had to use the Facebook API in order to post on a user’s behalf.
Now that we know what an API, let’s discuss what API authentication is.
What is API Authentication?
When you’re working with APIs it is typically important to ensure that requests are being made by valid 3rd party applications. For example, imagine that you built an API that sends out text messages. You would want to make sure that only apps that you trust could communicate with your service, right?
API authentication is the process of ensuring that only authorized applications are able to interact with your program.
This may seem like a very basic concept. You have to use a username and password each time you log into sites like Facebook, right?
Where API authentication is different than the normal login process is that it has to be completed 100% in code. Usually, this means including information in the API request that contains:
- Username
- Password
- API Key
- Etc
This information can then be checked by the receiving application to make sure that the request is coming from a valid application. You can compare this to a site like Facebook checking your email and password against their database. This ensures that you are who you say you are.
Why It’s Important
So now that you have an idea of what API authentication is, why is it important? Let’s continue with our example of having an API that sends text messages. If you don’t implement authentication into your service you run the risk of anyone being able to send SMS messages. This includes apps that would send spam and malicious data out to users. Obviously this would be a bad thing to happen and could even cause you to get penalized or banned from sending messages out, even from legitimate sources.
Take a look at the most popular APIs in the world, such as Google Maps, Twitter, Facebook, or Yelp. You’ll discover that they each require any applications that communicate with them to be authenticated.
How to Implement API Authentication
In order to understand how to implement API authentication, let’s dive right into the code. For this example, I’m going to use the Ruby on Rails framework. That means that the syntax will be specific to Rails. However, the overarching concepts can be applied to any language.
I’ve taken this walkthrough from a course I’ll be publishing next month. The course will focus on how to build a Ruby on Rails Microservice app. To reiterate, if you’re not familiar with the Rails framework, don’t tune out. You can apply a similar implementation to pretty much any framework.
The App
The app we’ll be adding authentication to is an API that sends out SMS messages, just like our example from earlier. At a high level, it allows third-party applications to send API requests and it sends out text messages with the data provided.
Implementing Authentication
In the course, I follow the Test-Driven Development process for implementing authentication. However that is slightly out of scope for this walkthrough, you can check it out if you want to learn how to build the app and follow Rails best practices.
The first step we’ll take is to create a method called authenticate and then have it run before any service tries to communicate with the API.
Inside of the authenticate method I’m leveraging the Rails built-in method: authenticate_or_request_with_http_basic. This will help perform tasks such as automatically requesting that an outside app supply login credentials.
Inside of the authenticate method it simply performs a database lookup and verifies that there is a client with matching API credentials. I’m using source_app and api_key, however, those are simply arbitrary names. They could just as easily be username and password.
Testing in the Browser
Even though we’re working on how to implement API authentication, it is still beneficial to be able to test our features locally in a browser.
If you run this in the Rails server you’ll see that this works and the browser is asking for login credentials. This is essentially mimicking what the API will encounter when it tries to communicate with the app.
I ran a database query to find a client and I found one that had the following credentials:
source_app: “app_name3” api_key: “gJpCXE9u0IhAx9Rct3Hy1Att”
If I enter the wrong credentials, the app won’t let me see the content and it will ask for my login credentials again, as shown here:
But if I enter the correct login credentials into the browser it will let me access the page.
Testing via cURL
Testing in the browser is all well in good, however this a tutorial on how to implement API authentication. Therefore it needs to be tested with JSON data. So how exactly can we do that?
Well before authentication was implemented I was able to create a notification by sending a cURL request. What’s cURL? cURL is a command-line tool that lets developers mimic sending various protocol requests. In this case, we’re sending an API request. This cURL request used to work:
curl -X POST -d "notification[phone]=4322386131" -d "notification[body]=mymessage" -d "notification[source_app]=myapp" http://localhost:3000/notifications
However, if I try this now it fails, as it should. And it fails with the error message:
HTTP Basic: Access denied.
Including Auth Headers via cURL
So how can we include our login credentials via cURL? Thankfully cURL has a nice built-in way of passing in parameters for HTTP basic auth requests like ours. We can prepend the code:
--user app_name3:gJpCXE9u0IhAx9Rct3Hy1Att
Which, if you remember are simply the login credentials we tested in browser, separated by a colon. The full cURL request would look like this:
curl --user app_name3:gJpCXE9u0IhAx9Rct3Hy1Att -X POST -d "notification[phone]=4322386131" -d "notification[body]=mymessage" -d "notification[source_app]=myapp" http://localhost:3000/notifications
Now if we run this command in the terminal it will process properly:
And it even sends out the text message!
Summary
I hope that this has been a helpful guide for helping to answer the question of how to implement API authentication and good luck with the coding interview!