API access tokens: how do they work, and how do they compare to authentication using API keys?
HTML-код
- Опубликовано: 6 июн 2024
- PHP APIs course: ➤ davehollingworth.net/phpapisy
Support my channel: ☕ ko-fi.com/davehollingworth
Authentication using API keys is one way to authenticate requests to an API. Authentication using access tokens is another popular method. In this short video we'll learn how each one works, and how they compare.
00:00 API key authentication
01:03 Access token authentication
#API #authentication - Наука
Dave your lessons are amazing clear clean and very helpful. I would like to thank you !
this is a compact and amazing explanation on access tokens. great job sir.
I love how you explain things
Well explained. Thank you very much!
Thx I get confused by this topic a lot. That helped.
Thanks for this amazing video sir!
Thanks for this
Thank you man
Thank you for the video! When API decodes the token and verifies if valid, how come that doesn't require DB queries?
This is because the credentials are encoded in the token itself, so you don't need to get them from the database.
@@dave-hollingworth thanks for replying! But how can those credentials be verified without a DB? I mean, even a token must be validated against something stored somewhere, right? There should be a place where data is kept to be validated against
@@Cenzo4u You're right, they're not actually verified - all that's guaranteed is that they haven't been tampered with. So if you save the user's ID, name, email etc. in the access token, you know that when it's decoded that these values are the ones that were saved in the token when it was created.
If you want to validate it, then you have to check them against the database.
However, checking them doesn't scale that well, so the reason we have access tokens is to allow authentication without having to check a central database each time. The advantage of this is that we can authenticate the access token in the client, without checking the server.
The disadvantage is any changes (e.g. the user changes their email address) aren't reflected in the values stored in the token, plus it's more difficult to immediately invalidate the token if you want to force someone to log out (but for that you can use blacklists for example)
@@dave-hollingworth One question please, won't this method of access token be vulnerable to an attack? If someone got to your access token then how would the system identify its not you and its someone else?
@@adorablecheetah2930 If someone gets your access token, then they can access it as though they were you, yes. So it needs to be stored securely in the browser.
One question please, won't this method of access token be vulnerable to an attack? If someone got to your access token then how would the system identify its not you and its someone else?
If someone gets your access token, then they can access it as though they were you, yes. So it needs to be stored securely in the browser.
@@dave-hollingworth thank you
From a security perspective which is more secure?
If you send them over HTTPS, they're both as secure - the disadvantage of access tokens is that they're not as simple to revoke (e.g. if you want to disable a user's access instantly) as you're not checking the database (this will be the subject of a future video)
@@dave-hollingworth Thank you, always learn something from your videos
Hi, I am getting WordPress error, "Authorization token does not found"
I am getting error when I login to WordPress, but website is not affected.
Can you help with solution
I'm afraid I'm not familiar with WordPress, but they do have some support forums here: wordpress.org/support/forums/
@@dave-hollingworth thank you
What should be the life of this token? Do they remain active forever? What is the best life in seconds /minutes/hours for this token with its advantage and disadvantage?
www.freecodecamp.org/news/best-practices-for-building-api-keys-97c26eabfea9/
how can I get client secret key for refresh token ???
Use something like this for example: randomkeygen.com/
I need to get refresh token please suggest me how can I get that n from where can I get ???
@@samkhazi The framework generates it - check out the link to the course above, it details how this works
Dave, thanks so much, the best explanation. Now I need to find what tool I can use to get token, anybody can recommend ? heard about postman