Understand the Importance of Authentication for an API
Before we go into other API HTTP verbs, you need to learn about authentication, which is simply a way for APIs to make sure the client has the right permissions to access or manipulate data. 🔐 If you’re building an API, you wouldn’t want just anyone to be able to change any user’s password, right? 🔥
When we made our GET request in the GitHub API, we didn’t need any authentication to GET user data. Why? Remember: there are both private and public APIs.
Oh, so GitHub is a public API!
Yes and no. GitHub is an API with a public section where you can make requests without authorization, as we did in the last chapter. However, the whole application isn’t public. Some endpoints require authentication to ensure you have the required authorization to update data.
If you want to edit, add, or delete data, GitHub needs to give you the authorization to do so. You wouldn’t want just anyone to be able to replace your profile picture with one of Homer Simpson, would you?! 🍩 So for this to happen, GitHub has an authentication process.
A common authentication approach requires a developer to register for a token or key through the API’s website. Once they have it, the developer uses this to identify themselves, and presto. 🎉
What’s a token, then? A sort of code? 🤔
Yes, sort of! A token is usually a long and unique string of random letters and numbers assigned to a user. The token is a bit like a passport number: it is unique and identifies who you are. The API can use it to know who is making the request and what level of permissions they have.
The permissions can define specific access to certain functionalities, like the number of requests you can send, but also the actions you can carry out (for example, you can make sure only an administrator can edit an organization). The API’s documentation should communicate all the information about what functionality is accessible through an authentication token.
How do we add the token to the request? 🤔
It's sent either in Header parameters or in the endpoint itself.
To illustrate this, let’s walk through getting a GitHub token.
To start, go to: https://github.com/settings/tokens.
You should end up on this page:
Here’s where you ask GitHub to give you a token so you can carry out operations using the GitHub API.
Click on Generate new token.
You want GitHub to give you authorization for two things:
To perform actions on GitHub repositories
To delete GitHub repositories
Follow the example above, and don't forget to enter some information in the note section that will help you to remember what this token was for. This information could be the name of an application, your API, etc. I’ve written OpenClassrooms.😄 Then click on Generate token, and ta-da! 🎉
You’ll see your token where the black bar is. I’ve hidden mine. 🙊
Notice the blue box—don’t forget to copy your personal access token!
After copying your token, refresh the page. Just like in the example above, you should see your new token appear under the name you gave it. You’ll also see the actions it allows you to perform on the GitHub API. For us, those are the two we selected: delete_repo and repo.
You’ve seen how to use APIs, but they can be created by companies, services, or independent developers. How can you be sure that they’re trustworthy?
Security Is Key: Choose Your APIs Wisely
As you learned previously, there are thousands of different APIs you can use in your code projects. As with anything, it's important to keep security. As a developer, you are responsible for the security of your user data! You must make sure your APIs are coming from a credible source.
But how? How will I know if an API is credible or not? 🤔
There are some quick and easy ways to check if an API is credible or not. Quality APIs will have security measures like authentication, authorization, and encryption. They will also be recently updated, so you know they're keeping up to date with the latest security standards.
Let’s look at an example. On GitHub, you’ll find the Pokémon API named PokeApi, which has been updated in the previous two weeks. 👇
You can see on their GitHub that it was last committed quite recently, so you know that this API is being kept up to date. 😉
Every time you use a third-party API, first check the date of the latest update on GitHub or on their website, read the documentation, and if you have any doubts (or even if you don’t), take a look at reviews online or simply consult another developer.
Let’s Recap!
To get a GitHub authentication token, you can:
Go to https://github.com/settings/developers and click on Personal access tokens.
Click Generate new token and enter "Open Classrooms" in notes.
Then you can see all the different options for permissions you want your API to have.
Check off as many as you want to experiment with. We used Repo and Delete.
Click on Generate token and get your personal API token. 👏
Make sure to copy and save this token because you'll be using it later on.
Authentication is necessary to ensure only people with the right permissions can access your API.
API keys or tokens are commonly used with a request to authenticate a user.
Make sure to double-check the credibility of an API before you use it.
You can find out when an API was last updated on GitHub or its website.
GET no longer holds any secrets for you – you’ve created your GitHub account and got your first token. It’s now time to take things up a notch and play around with the GitHub API! 🚀