API Authentication Builder
Pick an auth method and get a complete implementation kit — a step-by-step guide, copyable request snippets in curl, fetch and Python, and a server-side verification snippet. Live base64 for Basic Auth and a browser-side JWT decoder included. Everything runs in your browser.
- 1Generate a secret API key in your provider dashboard and store it in an environment variable (never commit it to source control).
- 2Send the key on every request in the "X-API-Key" request header.
- 3Scope the key to least privilege and rotate it on a schedule; revoke immediately if it leaks.
- 4On the server, look the key up in a constant-time store and reject any request whose key is missing, unknown, or revoked.
X-API-Key: sk_live_4eC39HqLyjWDarjtT1zdp7dccurl https://api.example.com/v1/me \
-H "X-API-Key: sk_live_4eC39HqLyjWDarjtT1zdp7dc"Authentication is only as good as the server-side check. Validate the credential, compare in constant time, and authorise by scope — never trust a client-side decode.
// Node — verify an API key in constant time
import { timingSafeEqual } from "node:crypto"
function verifyApiKey(received: string): boolean {
const expected = process.env.API_KEY ?? ""
const a = Buffer.from(received), b = Buffer.from(expected)
return a.length === b.length && timingSafeEqual(a, b)
}
// Reject if the "X-API-Key" header is missing or fails this check.Choosing and implementing API authentication
Every authentication scheme answers the same question — how does the server know this request is from who it claims to be? — but they make very different trade-offs. An API key is a single shared secret: trivial to use, but it identifies the caller rather than a user and must be guarded and rotated like a password. A bearer token generalises that: whoever holds it is authorised, so tokens should be short-lived and scoped. A JWT is a self-describing bearer token whose claims the server verifies cryptographically, which removes a database round-trip but means an issued token can't easily be revoked before its exp. Picking the right one is mostly about who the caller is and how much you trust the network in between.
The detail that catches people out with JWTs is that the payload is only base64url-encoded, not encrypted. The decoder here proves it — paste any token and you can read every claim instantly, which is exactly why you must never put a secret in a JWT and never make an authorization decision from a client-side decode. The signature is the only thing that establishes trust, and it can only be checked on the server against the issuer's key (the JWKS for RS256, or the shared secret for HS256). The same encoding-is-not-encryption point applies to Basic Auth: btoa("user:pass") is reversible by anyone, so its only protection is the TLS layer beneath it — which is why Basic Auth must never travel over plain HTTP.
For machine-to-machine calls, the OAuth 2.0 client-credentials flow is the standards-based answer: a confidential client trades its id and secret for a short-lived access token at the token endpoint, then presents that token. HMAC signing solves a different problem — integrity. By signing the method, path and body with a shared secret and sending the hex digest plus a timestamp, the server can prove the body wasn't altered in transit and reject replays outside a small window. It pairs naturally with webhook delivery, where you can't rely on the caller holding a session and must verify each payload independently.
Whatever you choose, the load-bearing rule is the same: secrets never ship to the client. The generated snippets read keys and secrets from environment variables precisely so you don't inline them into a browser bundle that anyone can read. Document the scheme clearly alongside the rest of your surface — the payment API documentation generator shows how auth fits into a full reference, and the OpenAPI documentation generator turns a spec — security schemes included — into a browsable reference your integrators can trust.
Trusted by API & Security Engineers
“I flip between API Key for internal services and HMAC for partner webhooks, and the generated curl/fetch/python snippets are the exact patterns I copy into our SDK. The constant-time verify snippet for HMAC with the timestamp replay window is the part people always get wrong — having it generated saved me a review cycle.”
“The JWT decoder humanising exp/iat and flagging an expired token is genuinely useful for debugging auth issues, and I love that it loudly says the signature is NOT verified client-side. Snippets read secrets from env vars instead of inlining them — exactly the message I want junior devs to internalise.”
“OAuth client-credentials generated as two clear steps — token request, then the authenticated call — is how I onboard new services. I'd like a refresh-token flow too, but client credentials covers all our machine-to-machine cases and the Python requests version dropped straight into our tooling.”
“I use this in API workshops: pick a method, show the live base64 for Basic, decode a real JWT, and the implementation guide reads like a checklist. Everything runs in-browser so I can paste a sandbox token without worrying it leaves the laptop. Pairs perfectly with the webhook and payment docs tools.”
Love using our calculator?
Related API tools
Related Articles
Dive deeper with our expert guides and tutorials related to API Authentication Builder
api key · bearer · jwt · oauth2 · hmac · basic · in-browser · Last reviewed: 2026-06