Bearer token vs API key
Hello guys, sorry to disturb you all; is there a difference between a bearer token and an API key?
From what I have understand, both a bearer token and an API key is kind of an "access card" that grants us access.
29 Replies
a bearer token is an implementation of an access control mechanism, where an API key is a secret that you have to access something.
a bearer token is more like the login form, where the api key is more like your username/password
i would say that the bearer token is more like username/password, because it uses the same exact header as the username/password of basic auth
the difference is how the "token" is sent, and if it shows on logs or not
where might we want to use bearer token instead of an API key ? Only authentication mechanism use that?
the bearer token wont show in any log, but the api key will as it is part of the url
your server and the target server will store the entire thing in the logs
if you can pick, use a bearer token
usually, you have to authenticate into an endpoint to get an updated bearer token (which you can use for a while)
the api key wont change that often
hmm from what I've read, token will last for a specific amount of time, like it will expire, the api key doesn't change unless we revoke (I think it means delete) it.
Now the bearer token is assigned only once, when user is log in for e.g. But in the case of an API, like we would use BEARER "API_KEY" in our request, what does that implies please.
for api key, each time we need to send the request, we would need to include it compared to a bearer token where we use it only once (I guess)
Hmm I don't really understand the difference of using token instead of keys, like say I want to interact with openAI api, they use a bearer token, like something like -H AUTHORIZATION: BEARER SECRET_KEY
I didn't understand quite well, what if we omit bearer, it will still work ? Then if so, why do we need bearer?
Bearer token is prefered to api keys? why ?Sorry for the lots of question :c
I disagree with this one. The API key is nothing more than a string of characters that you need to get to the server through some method
it doesn't have to be part of the URL, it could even be used to authenticate once and get a temporary bearer token, or used in every request as part of an XML, JSON, or form payload, as a custom HTTP header, or a thousand other ways you can get it from your application to the third party server
and the reality is you don't usually have a choice when you're consuming an API, simply because the authentication method will be dictated by the owner of the API
that is how it is often used: as an url parameter
ah that's why for openAI they explictly implies BEARER "SECRET_KEY"
it doesnt have to be, and can be an header
not in my experience, but sure
this!
this is extremely important to keep in mind
basically you just need to make sure to follow the instructions of the API owner and make sure you keep API keys and bearer tokens secret from your end user, unless it's very explicitly stated by the API owner than you can safely leak the key
Firebase for example uses a serverside permission system and a second layer of authentication and authorization on the user side to make it possible to just use your firebase key everywhere in your frontend
but expecially if something could incur usage costs (like OpenAI), never ever ever put your key anywhere it even might end up in front-end code
usually, those request you to specify which domains can comunicate with the api, and will block requests from unauthorized domains
yup, implement a server-side proxy with cache
if feasable
and set up authentication on that proxy, with rate limiting
and that's even (especially?) important for hobby projects
you can end up with ridiculous bills if a key is exposed and abused, easily 5 or 6 figure $ amounts
oh, I need to learn how to use proxies then if this matters even for small project
oh god yeah I see
thanks, I will have a look at using proxies, I understand the concept of proxies but didn't really dive into how can we implement one yet
(it's most important with stuff like openAI where you're already paying, if they don't have your payment or personal information the worst that can happen is they ban you, but sitll good to keep in mind)
yep got it, thanks !
what i mean by "proxy" is simply an url in your site that is used by the front-end
and that is what will send the request to the api
it's nothing magical
if you search for "proxy" you will find all sorts of irrelevant things
but things you should learn anyway
"proxy api" should give better results, or "keep api key safe"
oh, yeah, that should be a lot better
I will look for it, thanks !
hmm I read that tokens is more for "user-level" while an api key is more for "app-level". Similarly, tokens can be used to restrict user's right while API key can't, it's like a key to access an entire building.
I'm a bit confuse what an authorization header is and why do we use it, can someone elaborate giving example/use cases please.
Till now I haven't use that, I just made a small login using js and express, I'd never use it, is it bad practice not to use it ?
the first part is sorta true-ish
you can very well limit what an user can do based on the api key
you can have a key that only has readonly access while another has read and write access
ah I see
an authorization header is an header to send authorization credentiald
it can be one or more methods at the same time
you can use basic auth and a bearer token at the same time
yep I see, normally as our app grow, it's a must to use authorization header ?
depends on what for
say for a login/sign up
but if it is for an api, it depends too
no, that's different
you do need some safety measures, but dont think an header will help much
yep, will revert back on that later on, thanks !