Skip to main content

Overview: Configuring API Authentication

What is API Authentication?

API authentication is the process of verifying the identity of a client or user before granting access to API endpoints. Proper authentication ensures that only authorized users or applications can interact with protected resources, preventing unauthorized access and potential security threats.

Most APIs require authentication mechanisms such as API keys, OAuth tokens, or bearer tokens to control access and enforce security policies. Configuring authentication correctly is crucial to protect sensitive data, enforce role-based access control, and prevent unauthorized API usage.

Why Configure API Authentication?

  1. Ensures Secure Access to API Endpoints
  • Prevents unauthorized users from accessing protected resources.
  • Validates client identities before allowing API requests.
  1. Enforces Role-Based Access Control (RBAC)
  • Assigns permissions based on user roles (admin, developer, read-only, etc.).
  • Ensures that users only access endpoints they are authorized for.
  1. Protects Against API Abuse
  • Prevents automated bots from making unauthorized requests.
  • Reduces the risk of API scraping, data theft, and denial-of-service attacks.
  1. Improves Security and Compliance
  • Helps meet industry security standards (e.g., OAuth 2.0, JWT, API Key security).
  • Ensures APIs align with regulatory compliance requirements.

Common API Authentication Methods

  1. API Key Authentication
  • Uses a unique key to authenticate requests.
  • Commonly passed in the request headers as Authorization: API_KEY.
  1. OAuth 2.0
  • Secure framework for token-based authentication and authorization.
  • Used for third-party authentication and delegated permissions.
  1. Bearer Token Authentication
  • Uses access tokens for authentication, often in Authorization: Bearer TOKEN.
  • Commonly used for securing APIs in web and mobile applications.
  1. HMAC (Hash-based Message Authentication Code)
  • Uses cryptographic hashing to verify request authenticity.
  • Ensures request integrity and prevents tampering.
  1. Certificate-Based Authentication
  • Uses SSL/TLS certificates for identity verification.
  • Typically used in enterprise environments for mutual authentication.

When to Configure API Authentication?

  • Before deploying an API to production to enforce access controls.
  • When integrating third-party services to ensure secure authentication.
  • During security testing to verify authentication mechanisms are working as expected.
  • As part of compliance enforcement to meet industry security standards.

How API Authentication Fits into API Security Strategy

Configuring authentication is a critical first step in API security. It should be complemented by:

  • Authorization Controls: Ensuring users can only access what they are permitted to.
  • Rate Limiting & Throttling: Preventing abuse from excessive API calls.
  • Logging & Monitoring: Tracking authentication attempts and detecting suspicious activity.

By properly configuring API authentication, teams can safeguard APIs from unauthorized access, enforce security policies, and ensure data protection.

Open your browser and visit: https://<your-tenant>.apisecapps.com

Visit the application

  • Click on "See more" to open the application Click See More

Configure Authentication

There are two ways to start with setting up the authentication.

  • From App Model Click from App Model - Configure Authentication

  • From Application Configurations menu. Click on App Config Dropdown Click on menu - App Config Click on Authentication Configuration menu item. Click on menu item - Auth Config

  • Click on Add authentication + button Click on Add authentication

How to setup a API Key Authentication

  • Start filling form Add auth name

  • Type auth name Enter auth name

  • From dropdown select API Key Select API Key

  • Fill the Header Key and Value Input Key Val

  • Click on Save Credentials Save Credentials

  • Authentication Tested Successfully Save Credentials

  • Authentication Test Results - Authentication Resolution Check API Key aut is in Table

  • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table

  • Check the saved credentials are available in the table Check API Key aut is in Table

    Test Authentication

    • Click on Test Authentication Save Credentials
    • Authentication Test Results - Authentication Resolution Check API Key aut is in Table
    • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table

How to setup a Basic Authentication

  • Click on App Config Dropdown Click on menu - App Config

  • Click on Authentication Configuration menu item. Click on menu item - Auth Config

  • Click on Add Authentication + Click on Add Authentication

  • Start filling form Add auth name

  • From dropdown select "Basic" Select Basic

  • Fill Username and Password Fill Username

  • Click on Save Credentials Click on Save Credentials

  • Authentication Tested Successfully Save Credentials

  • Authentication Test Results - Authentication Resolution Check API Key aut is in Table

  • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table

  • Check the saved credentials are available in the table Check Basic auth is in Table

    Test Authentication

    • Click on Test Authentication Save Credentials
    • Authentication Test Results - Authentication Resolution Check API Key aut is in Table
    • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table

How to setup a OAuth 2.0 Authentications

  • Click on App Config Dropdown Click on menu - App Config

  • Click on Authentication Configuration menu item. Click on menu item - Auth Config

  • Click on Add Authentication + Click on Add Authentication

  • Start filling form Add auth name

  • From dropdown select "OAuth 2.0" Select Basic

  • Filling the form Select Basic

  • Click on Save Credentials Click on Save Credentials

  • Authentication Test Results - Authentication Resolution Click on Save Credentials

  • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table

  • Check the saved credentials are available in the table Check OAuth 2.0 auth is in Table

    Test Authentication

    • Click on Test Authentication Save Credentials
    • Authentication Test Results - Authentication Resolution Check API Key aut is in Table
    • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table

How to Configure OAuth 2.0 Authentications Advance Option

  • Click on the row where OAuth 2.0 available in the table, it will open the OAuth 2.0 in edit mode. Check OAuth 2.0 auth is in Table
  • Click on Advance Section toggle button. Click toggle OAuth 2.0
  • Select Header from the Placement In dropdown, and fill in the Scope and Audience fields in the form. Fill Scope and Audience
  • Click on "Update Credentials" Click Update Credentials

How to setup a Bearer Token Authentications

  • Click on App Config Dropdown Click on menu - App Config

  • Click on Authentication Configuration menu item. Click on menu item - Auth Config

  • Click on Add Authentication + . Click on Add Authentication

  • Filling form Fill the name

  • Click on Save Credentials Click on Save Credentials

  • Authentication Test Results - Authentication Resolution Click on Save Credentials

  • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table

  • Check the saved credentials are available in the table Check Bearer auth is in Table

    Test Authentication

    • Click on Test Authentication Save Credentials
    • Authentication Test Results - Authentication Resolution Check API Key aut is in Table
    • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table

How to Configure Bearer Token Authentications Advance Option

  • Click on the row where Bearer Token available in the table, it will open the Bearer Token in edit mode. Check Bearer Token auth is in Table
  • Click on Advance Section toggle . Click toggle Bearer Token
  • Select the Query Parameter from Placement In dropdown. Select Query Parameter
  • Select the Authorization from Placement Key dropdown. Select Authorization
  • Fill the Additional form. Fill Additional form
  • Click on "Update Credentials" Click Update Credentials

How to setup a Custom Authentications

Custom Authentication is designed to support complex, multi-step login flows, often needed for APIs that require chaining multiple requests, passing cookies, and extracting values from headers or response bodies.

  • Click on App Config Dropdown Click on menu - App Config

  • Click on Authentication Configuration menu item. Click on menu item - Auth Config

  • Click on Add Authentication + Click on Add Authentication

  • Endter Credential Name anc click on Authentication Type Fill the name

  • From dropdown select "Custom Authentication" Select Bearer Token

  • Select Authentication Flow configured to obtain a token for APIs that require multi-step authentication.

    note

    Custom Authentication allows you to run chained requests to obtain a token through a multi-step authentication process. If no authentication flow has been set up, please contact APIsec support team.

    Fill the Authentication URL

  • Enter the credentials required to run the script. Enter Credentials

  • Token Renewal Frequency Select the duration for which the token stays valid before it must be regenerated. Enter Credentials

  • Click on Save and Test Authentication Click on Save Credentials

  • Authentication Test Results - Authentication Resolution Click on Save Credentials

  • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table

  • Check the saved credentials are available in the table Check Bearer auth is in Table

    Test Authentication

    • Click on Test Authentication Save Credentials
    • Authentication Test Results - Authentication Resolution Check API Key aut is in Table
    • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table
note

Users with View permissions cannot configure or add authentication in shared application

Test Authentication on different endpoint

  • Click on Test Authentication Save Credentials
  • Authentication Test Results - Authentication Resolution Check API Key aut is in Table
  • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table
  • Select any other Endpoint from the dropdown Check API Key aut is in Table
  • Click on Test Authentication Check API Key aut is in Table
  • Authentication Test Results - API Endpoint Test Results Check API Key aut is in Table
note

If results show 403, try to change the endpoint and re-test

How to Edit Authentication

  • Click on App Config Dropdown Click on menu - App Config

  • Click on Authentication Configuration menu item. Click on menu item - Auth Config

  • Click on required authentication from the list Click on menu item - Auth Config

  • Update the required fileds and click on Update and Test Authentication Click on menu item - Auth Config

note

Users with View permissions cannot edit authentication in shared application

Delete Authentication

  • Click on App Config Dropdown Click on menu - App Config

  • Click on Authentication Configuration menu item. Click on menu item - Auth Config

  • Click on Delete icon next to the Authentication. Click on menu item - Auth Config

  • Confirm Delete. Click on menu item - Auth Config

  • Authentication deleted. Click on menu item - Auth Config

    note

    Users with View permissions cannot delete authentication in shared application