Self-paced

Explore our extensive collection of courses designed to help you master various subjects and skills. Whether you're a beginner or an advanced learner, there's something here for everyone.

Bootcamp

Learn live

Join us for our free workshops, webinars, and other events to learn more about our programs and get started on your journey to becoming a developer.

Upcoming live events

Learning library

For all the self-taught geeks out there, here is our content library with most of the learning materials we have produced throughout the years.

It makes sense to start learning by reading and watching videos about fundamentals and how things work.

Full-Stack Software Developer - 16w

Data Science and Machine Learning - 16 wks

Search from all Lessons

LoginGet Started
← Back to Lessons

Weekly Coding Challenge

Every week, we pick a real-life project to build your portfolio and get ready for a job. All projects are built with ChatGPT as co-pilot!

Start the Challenge

Podcast: Code Sets You Free

A tech-culture podcast where you learn to fight the enemies that blocks your way to become a successful professional in tech.

Listen the podcast

  • Security

  • Back End

  • Authentication

Edit on Github

Token Based Authentication in your API

Why implementing Token Based Authentication
What is API Authentication?
What is a Security Token?
How to implement authentication in your API

Why implementing Token Based Authentication

There are several ways to create an authentication layer in web applications, but we are going to be focusing today in Token Based Authentication for several reasons:

  • Easy to implement.
  • Provides a good level of security (by industry standards).
  • Fast and performant.
  • The most used in the industry as of today.

What is API Authentication?

In plain English, authentication means being able to identify who is making requests to your API; You normally implement an authentication layer in your application because you want:

  • Users to be able to log in and log out.
  • Privacy protection: Restrict access to information based on the user role. For example: Only I should be able to update my email and password, only I should review my medical health history.
  • Limit user permissions: Restrict access to certain functionalities, for example: A user needs to pay to download a book, or not being able to comment on a forum unless you log in, etc.

To explain in detail "Token Based API Authentication" it's better to start explaining about tokens.

What is a Security Token?

In a broad sense, a token is a "number that proves something." For example: when you finish making a bank transfer, the bank sends a confirmation "token" serves as proof to validate that the transaction exists and it's valid. That confirmation number could be also called a confirmation token.

Other examples for every-day tokens:

  • Your social security number (token) proves your credit history.
  • Your credit card number proves you have a valid credit card.
  • Etc.

A security token is more than just a number

Tokens used for authentication need to be more than just plain numbers, they need to be almost impossible to fake, predict or break.

  • Non-consecutive; that will make them very predictable, hackers will guess the next one.
  • Infinite (almost): What will happen if you run out of tokens? Can you imagine MasterCard running out of credit card numbers?
  • Non-reusable: There are cases of re-usable tokens, but in general once a token is generated, no one else should ever use it but you.
  • Validatable: The token must follow some hidden pattern (encryption) that allows validating the token without compromising the owner or author.

Generating tokens

There are several types of tokens you can use for your Authentication system like Basic, Bearer, or JWT. Most of them use advanced cryptography algorithms that we are not going to address in this lesson (you can watch this amazing video to learn more). Instead, we are going to talk about hashing.

What is a hash?

A hash is a unique alphanumeric number that gets generated from a specific seed or value, for example:

With Python

1import hash_function
2
3value = "alex"
4unique_hash = hash_function(value)

Explanation: the function hash_function will always return the exact same unique_hash if the same value is given.

With JavaScript

1const jwt = require('jsonwebtoken');
2
3const payload = {
4    userEmail: 'hola@4geeks.co',
5    rol: 'admin'
6};
7
8const unique_hash = jwt.sign(payload, 'secret-key', {
9    expiresIn: '24h' // Set the expiration time to 24 hours
10});

Explanation: the function jwt.sign will always return the exact same unique_hash if the same value is given. Take a look at this demonstration, start typing on the input:

Note: There are several popular hashing functions: MD5, Sha1, Sha256, Sha256, etc.

What makes hashing functions so cool?

Hashing functions have become the best way to generate tokens in the security world because:

  1. They are consistent: They always return the same output to the same given input.
  2. They are "impossible" to reverse: If a hacker gets access to a token, they will never be able to know what was the original value.
  3. They have the same size: For example, all the tokens generated using MD5 will have 40 characters.
  4. They are "fast": Hashes rely on advanced math to efficiently generate the alphanumeric numbers.

Note: Every bitcoin wallet address has a unique hash, every commit you make in GitHub has a unique hash, etc.

How to implement authentication in your API

The most simple way to implement authentication in your database and API:

  1. Create a User table/model that represents every user inside your application.
  2. That User table must contain email and password for every user.
  3. Create one API endpoint called POST /token that generates a token only if it receives an email and password that matches in the database.
  4. The POST /token endpoint will return the token to the front-end if everything is okay.
  5. Then, on every other endpoint in your database, you will have to validate if the token exists in the request header, and if it does, you will have to validate it.

Autentication workflow

Every token is a session

The moment you generate the token, you can decide if you want it to expire, same way web sessions expire when you log in into your online bank account.

When a client successfully authenticates, it will receive that unique token, and it will be able to attach to the request headers of every request it makes from that moment on. That token will be the "User session".

It is recommended to save that token in the cookies or localStorage of your front-end application.

1let myToken = "aDSA45F$%!sd&sdfSDFSDFytrefERF";
2localStorage.setItem("token", myToken);
3
4
5// You can retrieve the token at any moment, anywhere in your application, by using:
6let myToken = localStorage.getItem("token");

How to attach the token to the request header:

If you are doing a request from the Front-End this will be an ideal way to attach the token to your Authorization headers:

1let myToken = localStorage.getItem("token");
2fetch('https://myApi.com/path/to/endpoint', {
3    method: "POST", // or any other method
4    headers: {
5      "Authorization": myToken, // ⬅⬅⬅ authorization header
6    },
7    body: JSON.stringify(body)
8})
9    .then(resp => resp.json())
10    .then(data => console.log("Success!!", data))
11    .catch(error => console.log(error));

If you are using Python Flask framework

I strongly recommend using Flask JWT Extended.

If you are using Node Express

Generate tokens with Node JSONWebToken. Also use Express JWT to enforce the private endpoints.