Here are 3 ways to authenticate a client with an API that you are designing.

1. Basic HTTP Auth

This is as simple as it gets. Every request includes a username and password in the API request. The API server authenticates, and will return the correct response, or will return a 403 Unauthenticated error.

You can see an example of how a client would set this up with Postmark’s webhook API documentation: https://postmarkapp.com/developer/webhooks/webhooks-overview

2. Oauth2

This can be very secure, and is ideal if you’re building an API where you won’t control all the clients. The client opens a web browser, a user logs into the API on a web page controlled by the API, and then a token is handed to the client. The client combines that token with a special secret token it was given when it registered with the API at an earlier time, and the client can make requests to the API on behalf of user. Generally, users can easily revoke the oauth token when the log into the API service. You can read up more at the official site: https://oauth.net/2/

3. A unique token per user account

A client would send the API a user’s credentials, and once authenticated, the API would send back a special token, such as a randomly generated string of characters. All other requests would then send this token, which the API would use to confirm the client’s access.

My Choice?

I think the best way, one that optimizes user security and time is using a unique token for each client that authenticates with your API, especially if it’s from a client that you also control and can ensure that your user’s password won’t be stolen. But consider the context, and pick one based on your needs.