How does authentication work in an API?
API authentication is how the server knows who is making a request. Since REST is stateless, the client usually sends a credential with every request, most often a token in the Authorization header. The server checks the token, confirms who you are, and decides what you can do. Common approaches are API keys, JWT tokens, and OAuth.
Common approaches
- API key: a simple secret string sent in a header, good for server to server calls.
- JWT token: a signed token holding user info, common for user logins.
- OAuth: a standard for letting users grant limited access, used for login with Google style flows.
A typical flow is the user logs in once, the server returns a token, and the client sends that token on every later request. The server verifies it without storing a session, which keeps things stateless.
Be ready to separate authentication from authorization. Authentication is who are you and authorization is what are you allowed to do. Interviewers often ask you to define both clearly.
Common follow up questions
Related interview questions
Want the full API Design guide?
Read every API Design concept with notes, diagrams, and code in one place. Track your progress as you go.
Open the API Design guide All API Design questions