API Authentication Patterns

API authentication ensures that the server knows who is making a request, and it serves as the foundation for authorization decisions. The most common patterns are API keys (simple shared secrets sent via header or query parameter), OAuth 2.0 Bearer tokens (JWTs or opaque tokens obtained through an authorization flow), and mutual TLS (mTLS) for service-to-service communication. Each pattern suits different use cases: API keys work well for server-to-server integrations with trusted partners, OAuth 2.0 is essential for user-delegated access, and mTLS provides strong identity for zero-trust service meshes.

JWT-based authentication is popular because the token itself carries identity claims (sub, email, roles) and can be verified without a database lookup using the token's signature. However, JWTs cannot be revoked individually before expiry without maintaining a blocklist, so short expiry times (15 minutes) combined with refresh tokens are the standard practice. API keys, while simpler, should be treated as secrets -- transmitted only over TLS, stored hashed in the database, and rotatable without downtime.

A production API typically combines multiple authentication methods: API keys for external integrations, OAuth 2.0 for user-facing applications, and mTLS or signed JWTs for internal service-to-service calls. The API should return 401 Unauthorized when credentials are missing or invalid and 403 Forbidden when credentials are valid but insufficient for the requested operation.