Authentication
RestAPI.com uses JWT (JSON Web Tokens) for API authentication. Tokens are issued in response to authentication requests and contain user information including name and role memberships.
How It Works
- User authenticates via an identity provider (Microsoft, Google, Facebook, etc.) or service account
- RestAPI.com issues a JWT bearer token
- Include the token in the
Authorizationheader for subsequent requests
Authorization: Bearer <your-token>
Identity Providers
RestAPI.com integrates with popular identity providers:
| Provider | Description |
|---|---|
| Microsoft | Personal and work accounts (supports single-tenant for organizations) |
| Google accounts | |
| Apple | Apple ID |
| Facebook accounts | |
| OpenID Connect | Any OIDC-compliant provider (Auth0, Okta, Keycloak, etc.) |
| Passkey | WebAuthn passwordless authentication |
| Vipps | Norwegian mobile payment and login service |
Users authenticate through these providers, and RestAPI.com issues a JWT token for API access.
Configure providers in the Developer Portal under Security → Auth Providers.
Authentication Endpoint
Tokens are obtained from the authentication endpoint:
https://<region>.restapi.com/<api-name>/_auth
Service Accounts
For server-to-server communication without user interaction, use service accounts. Service accounts are created at the API level under Team → Service Accounts.
Getting a Token
POST to the /_auth endpoint with your service account credentials:
const response = await fetch('https://eu.restapi.com/my-api/_auth', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
authority: 'serviceaccount',
clientId: 'your-client-id',
clientSecret: 'your-client-secret',
}),
});
const { token } = await response.json();
Using the Token
Include the token in your API requests:
const data = await fetch('https://eu.restapi.com/my-api/products', {
headers: {
'Authorization': `Bearer ${token}`,
},
});
Token Contents
JWT tokens contain:
- User identity (name, email)
- Role memberships
- Expiration time
- API-specific claims
Cookie Authentication
As an alternative to bearer tokens, you can configure your API to use cookie-based authentication. This is useful for browser-based applications where you want the browser to automatically include credentials with each request.
When cookie authentication is enabled:
- Tokens are stored in HTTP-only cookies
- The browser automatically sends credentials with requests
- No need to manually include the
Authorizationheader - Works seamlessly with the hosted login page at
/login
Configure cookie authentication in the Developer Portal under your API's security settings.
Cookie authentication is ideal for web applications hosted on RestAPI.com, as it simplifies frontend code and works automatically with virtual paths.
Security Best Practices
- Store tokens securely (never in source code)
- Use environment variables for service account credentials
- Rotate service account secrets regularly
- Use HTTPS for all API requests