# Handling Authentication

- APIs often require authentication to control access, rate limits, and auditing.
- Without authentication, requests to protected endpoints will fail with codes like 401 (Unauthorized) or 403 (Forbidden).
- This section demonstrates a simple GET to a protected endpoint, illustrating why auth is needed.

## Why Authentication?

- Authentication tells the API who you are, enabling personalized data and higher rate limits.
- It prevents unauthorized access to private resources and supports auditing of actions.
- Authenticated requests often succeed where anonymous requests would be blocked or limited.

In [2]:
GITHUB_ENDPOINT = "https://api.github.com"
HTTPBIN_ENDPOINT = "https://httpbin.org"

## Basic Authentication

- Basic Auth sends a username and password with each request, encoded in the `Authorization` header.
- `requests` accepts an `auth=(username, password)` tuple and handles encoding automatically.
- Servers return `401 Unauthorized` when credentials are missing or incorrect.

## Token-Based Authentication

- Modern APIs use API keys or bearer tokens passed via the `Authorization` header.
- For GitHub PATs, use `Authorization: token <PAT>` or `Authorization: Bearer <PAT>`; for OAuth2, `Authorization: Bearer <token>`.
- Always load tokens from environment variables to avoid hardcoding secrets.

## Common Pitfalls & How to Avoid Them

- Using the wrong header format (e.g., `Bearer` vs `token`) causes 401/403 errors. Follow API docs.
- Hardcoding secrets risks accidental exposure; always use environment variables or secret managers.