APIs use authorization to ensure that client requests access data securely. This can involve authenticating the sender of a request and verifying that they have permission to access or manipulate the relevant data. If you’re building an API, you can choose from a variety of auth models. If you’re integrating a third-party API, the required authorization will be specified by the API provider.
You can pass authorization details along with any request you send in APIStrong. Auth data can be included in the header.
Select API, under authorization tab select authorization from Type dropdown. Relevant details of selected type will automatically populated. The correct data values will be determined by your API at the server side—if you’re using a third party API you will need to refer to the provider for any required auth details.
Basic authentication involves sending a verified username and password with your request. In the request Authorization tab, select Basic Auth from the Type dropdown list.
You can revoke the access of previous key by generating the new one.
Bearer tokens allow requests to authenticate using an access key, such as a JSON Web Token (JWT). The token is a text string, included in the request header. In the request Authorization tab, select Bearer Token from the Type dropdown list. In the Token field, enter your API key value
With API key auth, you send a key-value pair to the API either in the request headers or query parameters. In the request Authorization tab, select API Key from the Type list. Enter your key name and value.
With OAuth 2.0, you first retrieve an access token for the API, then use that token to authenticate future requests. Accessing data via the OAuth 2.0 flow varies greatly between API service providers, but typically involves a few requests back and forth between a client application, user, and API.
An example OAuth 2.0 flow could run as follows:
- A client application makes a request for the user to authorize access to their data.
- If the user grants access, the application then requests an access token from the service provider, passing the access grant from the user and authentication details to identify the client.
- The service provider validates these details and returns an access token.
- The client uses the access token to request the user data via the service provider.
In the Authorization tab for a request, select OAuth2 from the Type dropdown list.
AWS is the authorization workflow for Amazon Web Services requests. AWS uses a custom HTTP scheme based on a keyed-HMAC (Hash Message Authentication Code) for authentication.
In the Authorization tab for a request, select AWS Signature from the Type dropdown list.
Select where APIStrong should append your AWS auth details using the Add authorization data to drop-down—choosing the request headers or URL.
- If you select Request Headers, APIStrong will add
X-Amz-prefixed fields in the Headers tab.
- If you select Request URL, APIStrong will add the auth details in Params with keys prefixed
Add your access key and secret values either directly in the fields or via variables for additional security.
You can optionally set advanced settings fields
The AWS Signature parameters are as follows:
- AWS Region: The region receiving the request (defaults to
- Service Name: The service receiving the request (defaults to execute-api ).
- Session Token: Required only when using temporary security credentials.
APIStrong will not attempt to send authorization details with a request unless you specify an auth type. If your request does not require an authorization, select No Auth from the Authorization tab Type dropdown list.