Skip to content

Authentication

For authenticated requests, a SERVER MUST support authentication through the basic authentication method. A SERVER MAY support additional authentication methods, such as, OAuth, JSON Web Token, and OpenID Connect, as well as non-authenticated requests.

The following example presents the Authorization header of a request using basic authentication.

GET /2022-04/events HTTP/1.1
Accept: application/vnd.api+json
Authorization: Basic Y2hyaXM6c2VjcmV0

In this example, the value of Authorization contains the string john:secret encoded in https://en.wikipedia.org/wiki/Base64base64 (Y2hyaXM6c2VjcmV0), as specified in the basic authentication method.

If a SERVER does support authenticated requests, it MUST respond to unauthorized requests with the 401 Unauthorized status code (see ???). If an error message body is included in the response, the SERVER MAY use an error object to differentiate between requests that lack an authorization header from those that contain invalid credentials.

HTTP/1.1 401 Unauthorized
Content-Type: application/vnd.api+json

{ "error": [{ "status": "401", "title": "Unauthenticated request" }], …​ }

HTTP/1.1 401 Unauthorized
Content-Type: application/vnd.api+json

{ "error": [{ "status": "401", "title": "Invalid credentials" }], …​ }