RESTful API is a protocal based on HTTP. Sometimes we want to encrypt the RESTful API content while using. There are three encryption in practise:
1. HTTP Basic Authentication
HTTP supported a simple and basic authentication natively, namely put an extra field named
Authorization: Basic em1rOjEyMzQ1Ng== in the header. i.e. We can let our clients login with username and password. Here,
em1rOjEyMzQ1Ng== is encrypted by
Base64. In practise, we DON'T recommend to use this way, as
Base64 is very easy to decrypt.
2. Access Token
When clients login with correct username and password, server will generate an
Access Token and assign an
Expiry Date on it. Every time, when a request is made by client,
Access Token must be attached to it, and will be verified by server. When client logs out, server will destroy this
The benefits of this approach is easy to implement for current resources, but the drawback is obvious too.
Access Token can be captured using tools such as
WiredShark. If the server set the
Expiry Date too long, clients may get all the resources any time they want.
3. API Key + Security Key + Sign
This way is commonly used and can be divided into few steps:
- Step 1: User login successfully and server returns with
- Step 2: On the user's (client) side,
request_parametersare used to create a
- Step 3: Whenever user want to make a new request,
request_parametersare sent to server
- Step 4: Server takes above 5 fields, validate the
timestampand check the
One of the implementation is
JWT, In next article, I will demonstrate how
JWT works and some simple examples.