Authentication¶
For authenticated requests, a SERVER MUST support authentication through the basic authentication method. A SERVER MAY support additional authentication methods, such as, OAuth, JSON Web Token, and OpenID Connect, as well as non-authenticated requests.
The following example presents the Authorization
header of a request using basic authentication.
GET /2022-04/events HTTP/1.1
Accept: application/vnd.api+json
Authorization: Basic Y2hyaXM6c2VjcmV0
In this example, the value of Authorization
contains the string john:secret
encoded in https://en.wikipedia.org/wiki/Base64base64 (Y2hyaXM6c2VjcmV0
), as specified in the basic authentication method.
If a SERVER does support authenticated requests, it MUST respond to unauthorized requests with the 401 Unauthorized
status code (see ???). If an error message body is included in the response, the SERVER MAY use an error object to differentiate between requests that lack an authorization header from those that contain invalid credentials.
HTTP/1.1 401 Unauthorized
Content-Type: application/vnd.api+json
{ "error": [{ "status": "401", "title": "Unauthenticated request" }], … }
HTTP/1.1 401 Unauthorized
Content-Type: application/vnd.api+json
{ "error": [{ "status": "401", "title": "Invalid credentials" }], … }