← Lessons

quiz vs the machine

Gold1340

System Design

API Authentication Patterns

Choosing how callers prove their identity to an API, from keys to tokens.

5 min read · core · beat Gold to climb

Identifying the caller

Every API needs to know who is calling before deciding what they may do. Several patterns trade simplicity against security and scale.

Common patterns

  • API keys are a shared static secret in a header. Simple, but they do not identify a user and are hard to scope or rotate.
  • Bearer tokens carry a short lived credential proving an authenticated session, far safer than static keys.
  • HMAC signed requests sign each request with a secret so the body cannot be tampered with and replay is harder.
  • mTLS authenticates the calling service itself with a certificate.

Choosing a pattern

Use tokens for user facing APIs where sessions and scopes matter. Use signed requests or mTLS for machine to machine traffic where integrity and strong service identity are key. Avoid long lived static keys for anything sensitive.

Key idea

Match the auth pattern to the caller, using short lived tokens for users and signed requests or mTLS for services, and avoid static keys.

Check yourself

Answer to earn rating on the learn ladder.

1. What is a key weakness of static API keys?

2. Which pattern best protects request integrity against tampering?