API testing – Security Standards API Authentication

API testing

After previous articles, we have understood what is client and server, how they use HTTP to talk to each other and defining data format to understand each other. Perhaps in our heads we will have a question: How does the server know which client we are talking to ? Today we will talk about Security Standards API Authentication)

Identity verification in the virtual world

Assuming you have registered an account at a website, the two indispensable information are username and password. This information is also known as “Credentials”. And the next time, to enter the website you need to show that “Passport”.

Logging in with a username and password is an example of a process called Authentication. When you prove Identity to a server, you provide information that only you and the server know. (Not counting the case of sharing each other’s fb accounts :v). Once the server knows who you are, it will trust you and allow you access to the information inside.

In the API, there are many techniques to handle this Authentication part. These are called Authentication schemes.

Basic API Authentication

The example just mentioned above is the most basic form of Authentication, the standard name is Basic Authentication, or abbreviated as “Basic Auth”. Basic Auth only requires username and password. The client enters the above two information and then sends them through the HTTP header to the server, this is called the authorization process – Authorization.

When the server receives a request, it looks at the Authorization header and compares that information with the Credential information they store in the DB. If true, the server will accept the client’s request and return the additional information requested by the client in the Body section. If not, the server will return a 401 code, signaling that the authentication failed and the request was denied.

Although Basic Auth is a frequently used technique, in practice it is not ideal to use the same username and password to access the API and manage the account. It’s like a hotel giving guests a bunch of keys to the whole hotel, not a key to a room.

API Key Authentication

API Key Authentication is a technique to help deal with the weakness of the Basic Auth model above. Instead of giving a whole bunch of keys to the customer, the hotel owner only gives the customer exactly 1 (Key) of their room key. The key is usually a long sequence of numbers and letters, which is unique and different from the password.

When the client authenticates with the API Key, the server knows to allow the client to access the data. Then where will the API Key be located on the request. Maybe we will think that this Key is probably in the same header as Basic Auth above but it’s where the programmer wants it because there’s no standard. It can be placed on the header, on the URL (http://example.com?api_key=my_secret_key), or on the Body. And no matter where you put them, they will have the same effect.

Thank you for reading.

To see more articles about API testing , please go this link

Leave a Reply

Your email address will not be published. Required fields are marked *

API testing

Test runner – API testing

Test runner – According to the previous post, you already know how to create simple tests for each API, but a project has too many APIs and too many different tasks, each task is a collection of several APIs how must be solved. Along with that is the management method that you think is applicable […]

API testing

How to test API

After reading “test API with Postman” series, you should be able to grasp the basic knowledge of the API and the functions Postman provides. But how to arrange tests and write Testcases for API still seems not very clear, so today I will write a post about how to test API properly. Reminder of knowledge […]

API testing

API testing – API documentation

Postman, in addition to providing an API testing tool, also helps us to make API documentation extremely professional and easy. This API document can be shared by both the team and the client. Usually, the API is usually written by Dev on google sheets, but at a certain stage of development, the dev will be […]