# Authentication and Authorization

Security is crucial for web APIs. Authentication verifies identity, while authorization determines permissions.

## Authentication Methods:

### 1. Basic Authentication

- Username and password sent in Authorization header
- Base64 encoded: `Authorization: Basic <credentials>`
- Simple but not very secure (should use HTTPS)

### 2. API Keys

- Unique key provided to each client
- Sent in header, query parameter, or request body
- Simple to implement but can be compromised

### 3. Bearer Tokens

- Token-based authentication
- `Authorization: Bearer <token>`
- Often used with JWT (JSON Web Tokens)

### 4. OAuth 2.0

- Authorization framework for delegated access
- Involves authorization server, resource owner, client, and resource server
- Grant types: Authorization Code, Implicit, Resource Owner Password, Client Credentials

### 5. JWT (JSON Web Tokens)

- Compact, URL-safe means of representing claims
- Consists of header, payload, and signature
- Can be used for authentication and information exchange

## Authorization:

- **Role-Based Access Control (RBAC)**: Permissions based on user roles
- **Attribute-Based Access Control (ABAC)**: Permissions based on attributes
- **Access Control Lists (ACLs)**: Permissions defined per resource

## Security Best Practices:

- Always use HTTPS
- Implement rate limiting
- Validate and sanitize inputs
- Use secure token storage
- Implement proper error handling (don't leak sensitive information)
- Regularly rotate keys and tokens
- Use HTTPS-only cookies for web applications

## Common Security Headers:

- `X-API-Key`: For API key authentication
- `Authorization`: For Bearer tokens
- `WWW-Authenticate`: For authentication challenges
- `X-Rate-Limit-*`: For rate limiting information

## Token Expiration and Refresh:

- Access tokens should have short lifetimes
- Use refresh tokens to obtain new access tokens
- Implement token revocation mechanisms
