Skip to main content

๐Ÿ” API Token

In the previous section, you saw how endpoints define the structure of your API, and how resources are grouped. But none of that matters without a secure way to access those endpoints, and thatโ€™s where the API Token

comes in.

An API token acts as a digital key. It is included in the header of a request, telling the server, โ€œHey, I am authorized to do this.โ€ Without it, even a perfectly structured /users endpoint will return a 401 Unauthorized

or 403 Forbidden.

Tokens are usually passed via HTTP headers, often under the Authorization field. This applies whether you are building a single-page app, a mobile app, or a CLI that interacts with an API.

There are different types of tokens:

  • Bearer Tokens, the most common type, included in the Authorization header
  • API Keys, simpler but less secure
  • JWTs (JSON Web Tokens), self-contained, stateless, and often include expiration
  • OAuth Tokens, used when integrating with third-party services

API tokens provide a mechanism for both authentication

and authorization. In the Authentication and Authorization section, we explored how tokens tie directly into role-based access control, scopes, and rate limits.

Here is a real-world example using curl:

โœ๏ธ Example Curl Request with Tokenโ€‹

curl -H "Authorization: Bearer sk_test_abc123" \
  https://api.example.com/users/12345

This tells the server, โ€œHere is who I am, verify me, and give me access to the user record.โ€ Without that token, the request would be denied with a 401 or 403 error.

๐Ÿ“„ YAML Example: Securing a Routeโ€‹

paths:
  /users:
    get:
      security:
        - bearerAuth: []
      summary: Retrieve user list
      responses:
        '200':
          description: OK

This snippet shows how a GET /users endpoint is protected using a bearer token under OpenAPI spec. It also shows that only authenticated users will see a 200 OK response.

๐Ÿง  Token Best Practicesโ€‹

  • Always use HTTPS when sending tokens
  • Never expose tokens in URLs or client-side code
  • Use short token expirations and refresh mechanisms
  • Store tokens securely (e.g., in memory for browser apps, encrypted storage for servers)
  • Rotate compromised tokens immediately

You can also scope tokens so they only apply to certain endpoints or actions. For instance, a token might allow GET /users, but not DELETE /users.

If you are managing multiple roles (admin, user, guest), your API logic should restrict routes based on token claims, such as role: admin or plan: premium.

๐Ÿง  Check Your Understandingโ€‹

๐Ÿงช Quiz: Whatโ€™s the purpose of an API token?

  • It authorizes and authenticates API requests
  • It increases the speed of your endpoint
  • It replaces all need for HTTPS
  • It encrypts frontend UI code automatically

โœ… Summary and Whatโ€™s Nextโ€‹

API tokens are your first layer of defense. They ensure that only authenticated clients can reach protected endpoints. Now that you understand how they work, and how to secure them in OpenAPI and requests, you are ready to look at what happens when users send too many requests at once.

We will explore how Rate Limits

help enforce fairness, protect infrastructure, and integrate directly with token-based access.

๐Ÿ‘‰ Continue to Rate Limits.