Authentication is the process of verifying the identity of a client making a request to an API.
In HTTP APIs, a common authentication mechanism is an API key.
The API key is sent in the Authorization header of every request:
Authorization: Bearer <api-key>The server rejects requests with a missing or invalid key with 401 Unauthorized.
Docs:
Authorization is the process of determining whether an authenticated client has permission to access a specific endpoint or resource.
A client can be authenticated but still lack permission for certain resources.
Common HTTP status codes related to auth:
401(Unauthorized) — the client is not authenticated (missing or invalid API key).403(Forbidden) — the client is authenticated but not allowed to access this resource.
Docs: