Best practises regarding api key authentication
Hello! I'm working on an api for an app for which I'm using better-auth for authentication. This question isn't really a better-auth specific question, but I figured I'd ask here as it's the right context.
In my api I want to enable authentication through the use of API keys (in addition to the normal session authentication) so that clients easier can authenticate from code. However, I'm a bit stumped on whether to use Bearer tokens (https://swagger.io/docs/specification/v3_0/authentication/bearer-authentication/) or API keys (https://swagger.io/docs/specification/v3_0/authentication/api-keys/). What really is the difference? I've also heard a lot about JWT tokens; can they be used with API keys or are they locked in to Bearer tokens? I don't really understand the difference as both are sent in a header.
Swagger Docs
Bearer Authentication
1 Reply
Additionally, internet seems to tell me that JWT:s are "more secure" than API keys, but better-auth seem to have some really nice features for API keys: https://www.better-auth.com/docs/plugins/api-key
API Key | Better Auth
API Key plugin for Better Auth.