Skip to main content

Overview: Configuring API Authentication

What is API Authentication?

API authentication is the process of verifying the identity of a client or user before granting access to API endpoints. Proper authentication ensures that only authorized users or applications can interact with protected resources, preventing unauthorized access and potential security threats.

Most APIs require authentication mechanisms such as API keys, OAuth tokens, or bearer tokens to control access and enforce security policies. Configuring authentication correctly is crucial to protect sensitive data, enforce role-based access control, and prevent unauthorized API usage.

Why Configure API Authentication?

1. Ensures Secure Access to API Endpoints

  • Prevents unauthorized users from accessing protected resources.
  • Validates client identities before allowing API requests.

2. Enforces Role-Based Access Control (RBAC)

  • Assigns permissions based on user roles (admin, developer, read-only, etc.).
  • Ensures that users only access endpoints they are authorized for.

3. Protects Against API Abuse

  • Prevents automated bots from making unauthorized requests.
  • Reduces the risk of API scraping, data theft, and denial-of-service attacks.

4. Improves Security and Compliance

  • Helps meet industry security standards (e.g., OAuth 2.0, JWT, API Key security).
  • Ensures APIs align with regulatory compliance requirements.

Common API Authentication Methods

1. API Key Authentication

  • Uses a unique key to authenticate requests.
  • Commonly passed in the request headers as Authorization: API_KEY.

2. OAuth 2.0

  • Secure framework for token-based authentication and authorization.
  • Used for third-party authentication and delegated permissions.

3. Bearer Token Authentication

  • Uses access tokens for authentication, often in Authorization: Bearer TOKEN.
  • Commonly used for securing APIs in web and mobile applications.

4. HMAC (Hash-based Message Authentication Code)

  • Uses cryptographic hashing to verify request authenticity.
  • Ensures request integrity and prevents tampering.

5. Certificate-Based Authentication

  • Uses SSL/TLS certificates for identity verification.
  • Typically used in enterprise environments for mutual authentication.

When to Configure API Authentication?

  • Before deploying an API to production to enforce access controls.
  • When integrating third-party services to ensure secure authentication.
  • During security testing to verify authentication mechanisms are working as expected.
  • As part of compliance enforcement to meet industry security standards.

How API Authentication Fits into API Security Strategy

Configuring authentication is a critical first step in API security. It should be complemented by:

  • Authorization Controls: Ensuring users can only access what they are permitted to.
  • Rate Limiting & Throttling: Preventing abuse from excessive API calls.
  • Logging & Monitoring: Tracking authentication attempts and detecting suspicious activity.

By properly configuring API authentication, teams can safeguard APIs from unauthorized access, enforce security policies, and ensure data protection.

Configure Authentication

Open your browser and visit: https://<your-tenant>.apisecapps.com

Visit the application

  • Click the required application.

    Click See More

Configure Authentication

There are two ways to start with setting up the authentication.

  • Click Set Up Crdentials from the Guided actions

    Click See More

  • (Or) Click Credentials from sidebar

    Click See More

  • Click on Add Credentials + button

    Click See More

  • The authentication form is displayed

    Click See More

API Key Authentication

  • Type auth name

    Enter auth name

  • From dropdown select API Key

    Select API Key

  • Fill the Header Key and Value

    Input Key Val

  • Click on Save Credentials

    Save Credentials

  • Authentication Tested Successfully

    Save Credentials

  • Authentication Test Results - Authentication Resolution

    Check API Key aut is in Table

  • Authentication Test Results - API Endpoint Test Results

    Check API Key aut is in Table

  • Check the saved credentials are available in the table

    Check API Key aut is in Table

Test Authentication

  • Click on Test Authentication Save Credentials
  • Authentication Test Results - Authentication Resolution Check API Key aut is in Table
  • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table

Basic Authentication

  • Type auth name

    Enter auth name

  • From dropdown select "Basic"

    Select Basic

  • Fill Username and Password

    Fill Username

  • Click on Save Credentials

    Click on Save Credentials

  • Authentication saved and Tested Successfully

    Save Credentials

  • Authentication Test Results - Authentication Resolution

    Check API Key aut is in Table

  • Authentication Test Results - API Endpoint Test Results

    Check API Key aut is in Table

  • Check the saved credentials are available in the table

    Check Basic auth is in Table

    Test Authentication

    • Click on Test Authentication Save Credentials
    • Authentication Test Results - Authentication Resolution Check API Key aut is in Table
    • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table

OAuth 2.0 Authentications

  • Type auth name Add auth name

  • From dropdown select "OAuth 2.0" Select Basic

  • Fill the form Select Basic

  • Click on Save Credentials Click on Save Credentials

  • Authentication Test Results - Authentication Resolution Click on Save Credentials

  • Authentication saved and Tested Successfully Click on Save Credentials

  • Authentication Test Results - API Test Results Check API Key aut is in Table

  • Check the saved credentials are available in the table Check OAuth 2.0 auth is in Table

    Test Authentication

    • Click on Test Authentication Save Credentials
    • Authentication Test Results - Authentication Resolution Check API Key aut is in Table

OAuth 2.0 Authentications Advance Option

  • Click on the row where OAuth 2.0 available in the table, it will open the OAuth 2.0 in edit mode. Check OAuth 2.0 auth is in Table
  • Click on Advance Section toggle button. Click toggle OAuth 2.0
  • Select Header from the Placement In dropdown, and fill in the Scope and Audience fields in the form. Fill Scope and Audience
  • Click on "Update Credentials" Click Update Credentials

Bearer Token Authentications

  • Type Auth Name Fill the name

  • From dropdown select "Bearer Token" Fill the name

  • Fill the form Fill the name

  • Click on Save Credentials Click on Save Credentials

  • Authentication Test Results - Authentication Resolution Click on Save Credentials

  • Authentication saved and Tested Successfully Click on Save Credentials

  • Authentication Test Results - Authentication Resolution Check API Key aut is in Table

  • Check the saved credentials are available in the table Check Bearer auth is in Table

    Test Authentication

    • Click on Test Authentication Save Credentials
    • Authentication Test Results - Authentication Resolution Check API Key aut is in Table

Bearer Token Authentications Advance Option

  • Click on the row where Bearer Token available in the table, it will open the Bearer Token in edit mode. Check Bearer Token auth is in Table
  • Click on Advance Section toggle . Click toggle Bearer Token
  • Select the Query Parameter from Placement In dropdown. Select Query Parameter
  • Select the Authorization from Placement Key dropdown. Select Authorization
  • Fill the required additional columns. Fill Additional form
  • Click on "Update Credentials" Click Update Credentials

Custom Authentications

Custom Authentication is designed to support complex, multi-step login flows, often needed for APIs that require chaining multiple requests, passing cookies, and extracting values from headers or response bodies.

  • Endter Credential Name Fill the name

  • From dropdown select "Custom Authentication" Select Bearer Token

  • Select Authentication Flow configured to obtain a token for APIs that require multi-step authentication.

    note

    Custom Authentication allows you to run chained requests to obtain a token through a multi-step authentication process. If no authentication flow has been set up, please contact APIsec support team.

    Fill the Authentication URL

  • Enter the credentials required to run the script. Enter Credentials

  • Token Renewal Frequency Select the duration for which the token stays valid before it must be regenerated. Enter Credentials

  • Click on Save and Test Authentication Click on Save Credentials

  • Authentication saved and Tested Successfully Click on Save Credentials

  • Authentication Test Results - Authentication Resolution Click on Save Credentials

  • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table

  • Check the saved credentials are available in the table Check Bearer auth is in Table

    Test Authentication

    • Click on Test Authentication Save Credentials
    • Authentication Test Results - Authentication Resolution Check API Key aut is in Table
    • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table
note

Users with View permissions cannot configure or add authentication in shared application

Test Authentication on different endpoint

  • Click on Test Authentication Save Credentials
  • Authentication Test Results - Authentication Resolution Check API Key aut is in Table
  • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table
  • Select any other Endpoint from the dropdown Check API Key aut is in Table
  • Click on Test Authentication Check API Key aut is in Table
  • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table
note

If results show 403, try to change the endpoint and re-test

How to Edit Authentication

  • Click on Credentials Click on menu - App Config

  • Click on required authentication from the list Click on menu item - Auth Config

  • Update the required fileds and click on Update and Test Authentication Click on menu item - Auth Config

note

Users with View permissions cannot edit authentication in shared application

Delete Authentication

  • Click on Credentials Click on menu - App Config

  • Click on Delete icon next to the Authentication. Click on menu item - Auth Config

  • Confirm Delete. Click on menu item - Auth Config

  • Authentication deleted. Click on menu item - Auth Config

    note

    Users with View permissions cannot delete authentication in shared application