Chapter 04 — Understand authentication5 min read

Why requests get rejected

Not every request is welcome

So far, every API call you've made has worked. You sent a request, you got data back. Simple.

But that's not how most real APIs work. Try this one:

GEThttps://newsapi.org/v2/top-headlines?sources=bbc-news

You should get an error. The server refused to answer. Not because the URL is wrong, not because the server is broken. It refused because you didn't prove who you are.

This is authentication. And it's one of the most common things you'll encounter when working with APIs.

The login problem

You already understand authentication, actually. Every time you log into a website, you type your email and password. The server checks them, confirms you're a real user, and lets you in. Without that step, the server would let anyone access anyone's account.

APIs have the exact same problem. They need to know who's making the request. But APIs don't have login forms. There's no text field, no "Sign in" button. It's just a URL and some data.

So how do you "log in" to an API? You attach your credentials directly to the request. Instead of typing a password into a form, you include a special string (an API key or a token) in the request itself. The server reads it, checks it, and decides whether to respond.

Some endpoints are public: anyone can call them, no questions asked. That's why GET /users/1 on DummyJSON works without any setup. Other endpoints are protected: you need to include valid credentials before the server will respond.

The NewsAPI endpoint above is protected. It requires an API key to know which account is making the request. You didn't include one, so it rejected you.

401 vs 403: two different rejections

You saw a rejection above. There are actually two status codes for "no," and they mean different things.

401 Unauthorized: "I don't know who you are." You didn't provide any credentials, or the credentials you gave are invalid. You showed up without an ID.

403 Forbidden: "I know who you are, but you're not allowed to do this." You logged in successfully, but you're trying to access something that's not yours. You have an ID, but it doesn't open this door.

In practice:

  • You forgot to include your API key? 401.
  • Your API key is expired or misspelled? 401.
  • You're logged in as a regular user but trying to delete another user's account? 403.
  • You're trying to access admin settings without being an admin? 403.

When your engineering team says "the user is getting a 401," you now know exactly what that means: the request is missing valid credentials.

Authentication vs authorization

These two words sound similar, and people mix them up all the time. Here's the difference.

Authentication answers: "Who are you?" It's the login step. You prove your identity (with a password, a key, a token).

Authorization answers: "What are you allowed to do?" Once the server knows who you are, it checks what you have access to.

Authentication always comes first. You can't check someone's permissions if you don't know who they are. A 401 means authentication failed. A 403 means authentication passed, but authorization failed.

You'll see both of these in API documentation. When docs say "this endpoint requires authentication," they mean you need to prove who you are. When they say "requires admin privileges," that's authorization on top of authentication.

How credentials get sent

On a website, credentials go through a login form. With APIs, they're attached to the request. There are two common ways to do it.

In a header (the most common approach):

GEThttps://api.example.com/me
Authorization: Bearer eyJhbGciOiJIUzI1...
MethodPathHeaders

In a query parameter (simpler, common with API keys):

GEThttps://newsapi.org/v2/top-headlines?sources=bbc-news&apiKey=your_key_here
MethodBase URLPathQuery parameters

Headers are generally preferred because query parameters can end up in browser history, server logs, and shared URLs. But many APIs (Google Maps, NewsAPI, OpenWeatherMap) use query parameters for simplicity. The API documentation always tells you which one to use.

There are different types of credentials (API keys, tokens, OAuth), and we'll cover each one in the next lessons. For now, the key takeaway is: APIs don't have login forms, so credentials are attached directly to the request.

Key takeaways

  • Authentication is required for most real-world API endpoints. Not every request is public.
  • 401 Unauthorized means "I don't know who you are." Missing or invalid credentials.
  • 403 Forbidden means "I know who you are, but you can't do this." Insufficient permissions.
  • Authentication = "who are you?" Authorization = "what can you do?"
  • Credentials are sent either in headers or query parameters, depending on the API.