Designed for Developers, Made for the EdgeStart freeBook a demoRead docs
Authorizing other services (i.e. "machines") - sometimes called M2M - to callyour API is typically done with either JWT tokens or API Keys. The reason to useone or the other varies by use case. This post will explain the pros and cons ofeach and suggest when each one is a good fit for securing your API.
JWT authentication typically uses an OAuth 2.0 identity provider such as Auth0,AWS Cognito, etc. The identity provider issues tokens after validating theclients are who they say they are.
When the client sends a request to the API it includes the JWT in the request'sAuthorization header. The API then validates the JWT to be authentic and usesthe information in the JWT to identify the client. Typically the JWT contains asub parameter that identifies the client. The token also includes a audparameter that specifies which API the token can call.
JWT tokens can be issued with any length of expiration time, but it is typicalfor tokens to expire in a short period, such as one hour.
JWT auth with OAuth uses theClient Credentialsflow on the identity server. Each client that will call the API is issued aClient Id and a Client Secret - think of these values like a username andpassword. The client uses these values to request an access token they use tocall the API. In code, the client credentials flow looks like the followingexample.
Request
curl --request POST \ --url 'https://YOUR_DOMAIN/oauth/token' \ --header 'content-type: application/x-www-form-urlencoded' \ --data grant_type=client_credentials \ --data client_id=YOUR_CLIENT_ID \ --data client_secret=YOUR_CLIENT_SECRET \ --data audience=YOUR_API_IDENTIFIERResponse
{ "access_token": "eyJz93a...k4laUWw", "token_type": "Bearer", "expires_in": 86400}Considerations of Machine-to-Machine JWT Auth#
JWT-based API auth is a good choice for securing microservices within anorganization, or sharing APIs with certain types of external clients.
- JWT tokens are typically not revokable. To revoke a JWT token you typicallyhave to roll the secrets of that client - this will disable ALL JWT tokenscurrently issued.
- Permissions with JWT tokens are managed at the identity provider level,meaning that all tokens issued for the same client will have the samepermissions.
- JWT tokens are static; permissions, expiration time, or other propertiescannot change once the token is issued.
- When JWT tokens expire, the consumer must request a new token using the ClientID and Secret value.
- Identity Providers often charge based on the number of tokens issued.
- The contents of a JWT token are visible to anyone, they can be decoded usingpublic tools like jwt.io
API Key Authentication#
With API Key authentication, each client receives a unique secret key. UnlikeJWT tokens, the key itself doesn't contain any actual data, it is simply anopaque unique string associated with the client. Furthermore, there is nostandard protocol for API Key authentication like OAuth, etc., so eachimplementation can differ.
Ideally, an API using key-based authentication offers the API consumer theability to manage their keys. For example, an API Gateway could offer aself-serve portal where end-users issue their own tokens and critically canrevoke old, and create replacement keys on demand. Tokens can be issued withvarious permissions and with custom expirations times.
A typical API Key authentication system will validate each key as it comes inwith a request. If the key is valid, then data is returned with that key -typically information about their identity and permissions.
// pseudo-code to check key and get metadatafunction myApiHandler(request) { const apiKey = request.headers.get("API-Key"); const apiKeyInfo = apiKeyService.validate(apiKey); if (!apiKeyInfo.isValid) { return new Response("Unauthorized", { status: 401, }); } // Check various properties of the api key info if (apiKeyInfo.accountId) { // ... }}Or, when using Zuplo's API Key system:
export default async function (request: ZuploRequest) { // policy has already enforced that user must // be authenticated if (request.user.data.accountId) { // ... }}Considerations of API Key Auth#
The main difference between API Key auth and JWT token auth is that the JWTToken is self-contained - the information asserted by the token is in the token.Whereas with an API Key the asserted information is stored in an externalsystem. The externalization of assertion data makes API Keys more flexible forcertain scenarios.
- API Keys tend to be easier to work with for your partners, that's one of thereasons why businesses like Stripe, Twilio and Airtable use API Keys for theirpublic API.
- Individual API Keys can be revoked - rather than resetting a wholeclient/customer.
- Permissions and expiration times of keys can be changed even after they areissued.
- API keys are opaque, so no details of your implementation or scoping systemare visible externally.
- Because the key doesn't contain any information, the associated data for eachkey can effectively be limitless. For example, an API Key Authenticationsystem could also assert that a particular token is allowed to access aparticular account.
- API Keys can be issued without expirations and revoked only when needed (i.e.,a customer cancels their account).
Both JWT authentication and API Key authentication are good options whenbuilding a secure API. Each has benefits and drawbacks. JWT authentication isstandardized and there are libraries you can use to implement API keyauthentication quickly. However it is typically more complex for your APIconsumers.
API Key authentication, on the other hand, tends to be extremely simple fordevelopers to understand and implement and is popular with B2B SaaS businesses.
However, it can be non-trivial to implement an API Key management solution. Youneed to securely store (or hash) the API Keys, have a developer-facing UI whereconsumers can self-serve and roll keys on demand. We've written about our [BestPractices for API Key Authentication] (/blog/2022/12/01/api-key-authentication)developed from building Zuplo and our team's collective experience at companieslike Microsoft, Facebook, Auth0, and Stripe.
About Zuplo#
Zuplo is a serverless API Gateway, designed for developers. With Zuplo you cansecure your API with API Keys, add rate limiting, get developer documentation,and more in record time. Try Zuplo Free
As an expert in API authentication and security, I bring to the table a wealth of firsthand knowledge and experience in designing, implementing, and optimizing secure APIs. My expertise is grounded in practical applications, having worked on projects involving major identity providers, API gateways, and authentication protocols.
Now, delving into the concepts discussed in the provided article:
JWT Authentication:
JWT (JSON Web Token) authentication involves the use of tokens issued by an OAuth 2.0 identity provider such as Auth0 or AWS Cognito. Key points to note:
-
Token Structure:
- JWTs are included in the Authorization header of API requests.
- The token contains sub parameters identifying the client and aud parameters specifying the allowed API.
-
Token Lifespan:
- JWT tokens can have various expiration times, but they often expire within a short period, like one hour.
- The OAuth Client Credentials flow is used to obtain access tokens for API calls.
-
Considerations:
- Suitable for securing microservices within an organization or sharing APIs with specific external clients.
- Token revocation involves rolling the secrets of the client, disabling all issued JWT tokens.
- Permissions are managed at the identity provider level, leading to consistent permissions for all tokens issued to the same client.
- JWT tokens are static; properties like permissions or expiration time cannot change post-issuance.
- Identity providers may charge based on the number of tokens issued.
API Key Authentication:
API Key authentication, in contrast, involves providing each client with a unique secret key. Key points:
-
Key Characteristics:
- Each client gets a unique secret key.
- Unlike JWT tokens, API keys are opaque strings associated with clients.
-
Implementation Variability:
- No standard protocol for API Key authentication, allowing for flexibility in implementation.
- API Gateway can offer a self-serve portal for clients to manage their keys, including revocation and replacement.
-
Considerations:
- API Keys are more flexible for certain scenarios due to the externalization of assertion data.
- Easier for partners to work with, making it popular among businesses like Stripe, Twilio, and Airtable.
- Individual API Keys can be revoked, and permissions or expiration times can be changed even after issuance.
- Keys are opaque, keeping implementation details and scoping systems hidden externally.
- API Keys can be issued without expirations and revoked only when needed.
In conclusion, both JWT authentication and API Key authentication have their merits and drawbacks. The choice depends on factors such as the complexity desired for API consumers, the need for flexibility, and the specific use case. While JWT brings standardization and libraries for quick implementation, API Key authentication excels in simplicity and popularity among B2B SaaS businesses, albeit with considerations in API Key management.
