1. API Key Authentication
When an API is marked with a red locked icon such as it means you are required to provide authentication.
FusionAuth primarily controls access to the API through the use of an API key. All secured APIs by default all APIs will return an
401 Unauthorized response.
To enable access to a secured API create one or more API keys in the FusionAuth user interface. The API key is then supplied in the HTTP request using the Authorization header. See API Keys for more information on adding additional keys.
The following example demonstrates the HTTP Authorization header with an API key of
The following is a cURL example using the Authorization header using the same API key as above with line breaks and spaces for readability.
curl -H 'Authorization: 2524a832-c1c6-4894-9125-41a9ea84e013' https://firstname.lastname@example.org
2. JWT Authentication
When an API is marked with a green identity icon such as it means you may call this API without
an API key but instead provide a JSON Web Token (JWT) pronounced "jot". These APIs may be called with a signed token in place of an API key. A JWT is
obtained from the Login API. The token will also be provided as an HTTP Only Session cookie. If cookies are being managed for you by the browser or some
other RESTful client, the JWT cookie will automatically be send to FusionAuth on your behalf and you may omit the
2.1. Authorization Header Examples
The following example demonstrates the HTTP JWT Authorization header.
Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo
The following is a cURL example using the JWT Authorization header with a line break and spaces for readability.
curl -H 'Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo' \ https://example.fusionauth.io/api/user
2.2. Cookie Example
If a cookie is provided on a request that accepts an API key or an JWT, the API key will be preferred.
The following is an HTTP GET request with the JWT Access Token provided as a cookie.
GET /api/user HTTP/1.1 Cookie: access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo
3. No Authentication Required
When an API that is marked with an unlocked icon such as it means that you are not
required to provide an
Authorization header as part of the request. The API is either designed to be publicly accessible or the request may take a parameter that is itself secure.