Authenticating access to an API

Question

I'm trying to make my First API, I never did and API before. I did read a couple of documentations but couldn't find something simple enough to describe the authentication process.

How do I authenticate a user through an API? like how can I give app developers a way so that they make a login form that grants their users access to their info on my database, and for me to provide data based on the user logged in.

I'm confused with the idea of authenticating users through an API, how can they send they passwords securely?

Answer 1

As you are talking about PHP and javascript I assume that you are talking about a HTTP (REST) api. In that case I would almost always argue to use the standard HTTP Authentication. This sends a username and password encoded in BASE64. This might look encrypted but is, as the name says, just an encoding. Therefore it is not secure. If you want that securely, I strongly suggest to use HTTPS.

Have a look at:

HTTP Auth in PHP

Relevant Standard

EDIT: As requested a short summary of how this works. The long (and somewhat hard to read) standard describes, the server can request the client to authenticate itself. The client then sends username and password (the base 64encoded version of username:password) to the server. As this Basic HTTP Authentication is specified in the standard it is quite widely spread and there are tons of libraries in pretty much every language for it. However, as mentioned previously I would strongly suggest to use it with HTTPS. Otherwise it does nothing but exposing the password of the user to the internet.

Although I'm strongly in favor of using the standard HTTP authentication, you might also want to have look at other concepts: OAuth, apikeys, Amazon Stuff

Answer 2

Perhaps you should take a look to oauth, that's the way twitter works, for example.