How to send credentials over HTTP for rest API

Question

I've got an endpoint for HTTP GET at api/token which requires a username and password, since HTTP GET can't include a JSON body I don't know how a password should be sent. Also once I get the token, how should it be included in API calls? Just another field in JSON or in the header?

you may find this interesting: stackoverflow.com/questions/1582894/…, also you can open the browser console and see how each site sends creedentials to the server (for example you may inspect stackoverflow login and discover that the password is beign send hashed from the client) — Victor
– Victor, Commented Jun 28, 2020 at 13:02

Thierry Templier · Accepted Answer · 2015-03-23 13:34:10Z

1

You shoud leverage the header Authorization which is the common way to provide credentials within a call to a RESTful service.

This link could give you more hints on this: https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/.

Hope it helps you, Thierry

answered Mar 23, 2015 at 13:34

Thierry Templier

203k44 gold badges407 silver badges365 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Ferrmolina · Accepted Answer · 2015-03-23 13:55:55Z

1

I suggest to use JSON Web Tokens which could be used in a URL, POST parameter, or an HTTP header.

A good article about JWT is this.

edited Mar 23, 2015 at 13:55

Ferrmolina

2,7692 gold badges33 silver badges48 bronze badges

answered Mar 23, 2015 at 13:52

ADIMO

1,11712 silver badges24 bronze badges

1 Comment

Victor Over a year ago

although jwt token are good working solution for handling authenticated clients; it is not a solution for what the OP is asking for (how to send creedentials from client to server)

cuttlas · Accepted Answer · 2015-03-23 13:01:27Z

0

the endpoint api/token should be and HTTP/POST so you can send the username and password in the body.

Then, once you've got the token, it should be sent in every other request using an Authorization Header.

answered Mar 23, 2015 at 13:01

cuttlas

9816 silver badges17 bronze badges

Comments

Ferrmolina · Accepted Answer · 2015-03-23 13:57:15Z

0

There's no true practise but only common practice.

If possible, switch your route from GET to POST and send your password in the HTTP Body. If not possible, you'll need to append parameters to the URL.
Once you retrieve an auth token, add a header to each authenticated request with your token as value (eg. "MyCompany-Auth": "0123456789").

Another good practice is also to use SSL (TLS) over your API calls. You can use a self-signed certificate if you don't want to pay too much.

edited Mar 23, 2015 at 13:57

Ferrmolina

2,7692 gold badges33 silver badges48 bronze badges

answered Mar 23, 2015 at 13:03

sweepy_

1,3411 gold badge9 silver badges28 bronze badges

1 Comment

Fred Over a year ago

There is the standard Authorization header. So he can use Authorization: bearer 0123456789.

Collectives™ on Stack Overflow

How to send credentials over HTTP for rest API

4 Answers 4

Comments

1 Comment

Comments

1 Comment

Linked

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

Comments

1 Comment

Comments

1 Comment

Linked

Related