API Security: Authenticate What Now?
Before we go into other API HTTP verbs, you need to learn about authentication, which is simply a way for APIs to make sure the client has the right permissions to access or manipulate data. 🔐 If I’m building an API, I wouldn’t want just anyone to manipulate data without permissions, right?
In the GitHub API, we didn’t need any authentication to GET user data because it's a public API with all its data available for getting. But if you want to edit, add, or delete data, GitHub needs to give you the authorization to do so. So for this to happen, GitHub must have an authentication process.
A common authentication approach is requiring a developer to register for a token or key through the API’s website, and then use that in their request. It's something unique to you (like an employee number) that only you can use to unlock something secure!
A token is usually a long and unique string of random letters and numbers the API can use to know who is making the request and what level of permissions they have. The permissions can define specific access to certain functionalities like the number of requests you can send. The APIs documentation should communicate all the information about what functionality is accessible through an authentication token. It's sent with a request message either in Headerparameters or in the endpoint itself.
Let's walk through getting a GitHub token.
Let's recap those steps! To get a GitHub authentication token, you can:
Go to https://github.com/settings/developers and click on Personal Access Tokens.
Click Generate New Token and enter "Open Classrooms" in notes.
Then you can see all the different options for permissions you want your API to have.
Check off as many as you want to experiment with. We used Repo and Delete.
Click on Generate Token and get your personal API token. 👏
Make sure to copy and save this token because we'll be using it later on.
Security is Key: Choose Your APIs Wisely
As you learned previously, there are thousands of different APIs for you to use in your code projects. As with anything, it's important to keep security in mind and make sure the APIs are coming from a credible source. Quality APIs will have security measures like authentication, authorization, and encryption. They will also be recently updated, so you know they're keeping up to date with the latest security standards. Here's a good example of a recently updated API called CatFacts .
You can see on their GitHub that their last update to their API was 16 days ago, so you know it's being kept up to date. 😉
Authentication is necessary to make sure only people with the right permissions can access your API.
API keys or tokens are commonly used with a request to authenticate a user.
Make sure to double-check the credibility of an API before you use it.