API Authentication Cheat Sheet

Updated 2026-04-29

Next Topic: API Gateway Configuration and Patterns Cheat Sheet

API authentication is the process of verifying the identity of clients making requests to an API, forming the foundation of API security in modern distributed systems. Unlike traditional web authentication that relies on session cookies, API authentication must work across stateless HTTP requests, supporting diverse clients from web browsers to mobile apps and server-to-server integrations. The challenge lies in balancing security with developer experience—while robust authentication prevents unauthorized access and data breaches, overly complex implementations create friction that slows development and adoption. In 2026, the field is evolving rapidly: OAuth 2.1 consolidates best practices with mandatory PKCE and sender-constrained tokens (DPoP), passkeys/WebAuthn are accelerating mainstream adoption, and AI agents communicating via MCP are driving delegated authorization at scale.

What This Cheat Sheet Covers

This topic spans 17 focused tables and 158 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Core Authentication MethodsTable 2: OAuth 2.0 Grant TypesTable 3: JWT Structure and ClaimsTable 4: JWT Signing AlgorithmsTable 5: Token Types and LifecycleTable 6: API Key Security PatternsTable 7: HTTP Authentication SchemesTable 8: Session and Cookie SecurityTable 9: OAuth Scopes and PermissionsTable 10: Authentication Best PracticesTable 11: Advanced Authentication PatternsTable 12: Cross-Origin and CORSTable 13: Security Headers for APIsTable 14: API Security TestingTable 15: Common Authentication PitfallsTable 16: GraphQL-Specific AuthenticationTable 17: Monitoring and Observability

Table 1: Core Authentication Methods

Method	Example	Description
API Key	`X-API-Key: sk_live_51H...`	• Static token identifying the calling application • simple but not tied to specific users, best for server-to-server calls where client identity matters more than user identity.
Bearer Token	`Authorization: Bearer eyJhbGc...`	• Generic token authentication scheme (RFC 6750) • the token itself carries authentication proof and must be sent with every request — stolen tokens grant full access unless sender-constrained.
OAuth 2.0	`grant_type=authorization_code&` `code=xyz&redirect_uri=...`	• Delegation protocol allowing third-party apps to access user resources without sharing passwords • returns access tokens for API calls.
OpenID Connect (OIDC)	`scope=openid profile email`	• Authentication layer built on OAuth 2.0 • returns an ID token (JWT) containing user identity alongside access tokens for resource access.
OAuth 2.1	Uses Authorization Code + PKCE	• Modern OAuth profile mandating PKCE for all flows, removing implicit and password grants • the recommended standard for new implementations.
JWT (JSON Web Token)	`eyJhbGciOiJIUzI1NiJ9.eyJzdWI...`	• Self-contained token encoding claims as JSON, verifiable via signature • enables stateless authentication without database lookups per request.
mTLS (Mutual TLS)	Client presents certificate in TLS handshake	• Both client and server authenticate via X.509 certificates • strongest authentication for service-to-service, though complex certificate management is required.

Table 1: Core Authentication Methods

Method	Example	Description
API Key	`X-API-Key: sk_live_51H...`	• Static token identifying the calling application • simple but not tied to specific users, best for server-to-server calls where client identity matters more than user identity.
Bearer Token	`Authorization: Bearer eyJhbGc...`	• Generic token authentication scheme (RFC 6750) • the token itself carries authentication proof and must be sent with every request — stolen tokens grant full access unless sender-constrained.
OAuth 2.0	`grant_type=authorization_code&` `code=xyz&redirect_uri=...`	• Delegation protocol allowing third-party apps to access user resources without sharing passwords • returns access tokens for API calls.
OpenID Connect (OIDC)	`scope=openid profile email`	• Authentication layer built on OAuth 2.0 • returns an ID token (JWT) containing user identity alongside access tokens for resource access.
OAuth 2.1	Uses Authorization Code + PKCE	• Modern OAuth profile mandating PKCE for all flows, removing implicit and password grants • the recommended standard for new implementations.
JWT (JSON Web Token)	`eyJhbGciOiJIUzI1NiJ9.eyJzdWI...`	• Self-contained token encoding claims as JSON, verifiable via signature • enables stateless authentication without database lookups per request.
mTLS (Mutual TLS)	Client presents certificate in TLS handshake	• Both client and server authenticate via X.509 certificates • strongest authentication for service-to-service, though complex certificate management is required.