When should you NOT use API Authentication Patterns?

Using API keys in URLs — they appear in server logs, browser history, and referrer headers. Long-lived tokens with no expiry or rotation — a stolen token is valid forever. Storing API keys in client-side JavaScript — they are visible to anyone who views source. Using HTTP Basic Auth over plain HTTP — credentials are sent in every request, base64-encoded but not encrypted.

When is API Authentication Patterns the right choice?

API keys for server-to-server calls where the key can be stored securely in environment variables. OAuth 2.0 + PKCE for user-delegated access — never embed client secrets in mobile or SPA clients. JWT bearer tokens for stateless APIs where the token carries claims without server-side session lookup. mTLS for high-trust service-to-service communication in zero-trust network environments.

← Back to glossary

API Authentication Patterns

api_design Intermediate

Also Known As

Bearer token API key authentication mTLS HMAC signing JWT authentication

TL;DR

Bearer tokens (JWT) for user sessions, API keys for machine-to-machine, mTLS for highest-security internal services — matching authentication method to the use case.

Explanation

API authentication options: Bearer token (Authorization: Bearer jwt) — stateless JWT, validate signature/expiry/issuer; use short expiry (15min) + refresh tokens. API key (X-API-Key header) — hash stored server-side, scope keys to minimum required permissions, rate-limit per key. Basic auth — only with HTTPS, legacy use only. OAuth 2.0 client credentials — for third-party apps accessing your API on their own behalf. mTLS (mutual TLS) — both client and server present certificates, no passwords, ideal for internal microservices. HMAC request signing (AWS Signature v4 style) — signs request body and headers, prevents replay attacks.

Common Misconception

✗ JWT authentication is stateless and therefore cannot be revoked — JWTs cannot be revoked without maintaining a blocklist (which adds state); for revocability, use short-lived tokens (15min) where the window of exposure is acceptable, or use opaque tokens with server-side session lookup.

Why It Matters

API key authentication for public user-facing APIs means one leaked key compromises that entire user's access — JWT with short expiry + refresh tokens limits blast radius and enables revocation via refresh token blocklist.

Common Mistakes

Long-lived JWT tokens without revocation — a leaked token remains valid until expiry
API keys in URL query parameters — logged by servers, CDNs, browser history, and proxies
No token scoping — one token with full access means any leak is a full compromise
JWT without signature validation — accepting unsigned tokens with alg:none

Avoid When

Using API keys in URLs — they appear in server logs, browser history, and referrer headers.
Long-lived tokens with no expiry or rotation — a stolen token is valid forever.
Storing API keys in client-side JavaScript — they are visible to anyone who views source.
Using HTTP Basic Auth over plain HTTP — credentials are sent in every request, base64-encoded but not encrypted.

When To Use

API keys for server-to-server calls where the key can be stored securely in environment variables.
OAuth 2.0 + PKCE for user-delegated access — never embed client secrets in mobile or SPA clients.
JWT bearer tokens for stateless APIs where the token carries claims without server-side session lookup.
mTLS for high-trust service-to-service communication in zero-trust network environments.

Code Examples

✗ Vulnerable

// Long-lived JWT — leaked token valid for 1 year:
$token = JWT::encode([
    'sub' => $userId,
    'exp' => time() + 31536000, // 1 year expiry!
], $secretKey);
// Leaked token: full access for up to 1 year

// API key in URL — logged everywhere:
GET /api/data?api_key=sk_live_abc123

✓ Fixed

// Short-lived access token + refresh token:
$access  = JWT::encode(['sub'=>$userId,'exp'=>time()+900], $key);  // 15 min
$refresh = JWT::encode(['sub'=>$userId,'exp'=>time()+2592000], $refreshKey); // 30 days
// Leaked access token: valid at most 15 min
// Refresh tokens: stored and rotatable

// API key in header — not logged by default:
// Authorization: Bearer $access
// OR: X-API-Key: sk_live_abc123

References

↗ https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html

Tags

api-design security auth

Added 16 Mar 2026

Edited 25 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Amazonbot 15 Google 9 Perplexity 9 Ahrefs 2 Unknown AI 2 ChatGPT 1 SEMrush 1

Also referenced

JWT Vulnerabilities 54 API Key Lifecycle Management 35 OAuth 2.0 18 OpenID Connect (OIDC) 17

How they use it

crawler 38 crawler_json 1

Related categories

security 4k networking 487 api_design 484

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: Medium

⚡ Quick Fix

API keys for server-to-server, JWT for stateless user sessions, OAuth2 for third-party delegated access — use the simplest pattern that meets your actual requirements

📦 Applies To

any web api laravel symfony

🔗 Prerequisites

JWT Deep Dive OAuth 2.0 API Key Lifecycle Management

🔍 Detection Hints

API key in URL query parameter instead of Authorization header; long-lived JWT tokens with no refresh mechanism; no token expiry

Auto-detectable: ✓ Yes semgrep owasp-zap

⚠ Related Problems