API Authentication

1. API Key Authentication

When an API is marked with a red locked icon such as    it means you are required to provide authentication. FusionAuth primarily controls access to the API through the use of an API key. All secured APIs by default all APIs will return an 401 Unauthorized response.

To enable access to a secured API create one or more API keys in the FusionAuth user interface. The API key is then supplied in the HTTP request using the Authorization header. See API Keys for more information on adding additional keys.

The following example demonstrates the HTTP Authorization header with an API key of 2524a832-c1c6-4894-9125-41a9ea84e013.

Authorization: 2524a832-c1c6-4894-9125-41a9ea84e013

The following is a cURL example using the Authorization header using the same API key as above with line breaks and spaces for readability.

curl -H 'Authorization: 2524a832-c1c6-4894-9125-41a9ea84e013'

2. JWT Authentication

When an API is marked with a green identity icon such as   it means you may call this API without an API key but instead provide a JSON Web Token (JWT) pronounced "jot". These APIs may be called with a signed token in place of an API key. A JWT is obtained from the Login API. The token will also be provided as an HTTP Only Session cookie. If cookies are being managed for you by the browser or some other RESTful client, the JWT cookie will automatically be send to FusionAuth on your behalf and you may omit the Authorization header.

2.1. Authorization Header Examples

The following example demonstrates the HTTP JWT Authorization header.

Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo

The following is a cURL example using the JWT Authorization header with a line break and spaces for readability.

curl -H 'Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo' \

If a cookie is provided on a request that accepts an API key or an JWT, the API key will be preferred.

The following is an HTTP GET request with the JWT Access Token provided as a cookie.

GET /api/user HTTP/1.1
Cookie: access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0ODUxNDA5ODQsImlhdCI6MTQ4NTEzNzM4NCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIyOWFjMGMxOC0wYjRhLTQyY2YtODJmYy0wM2Q1NzAzMThhMWQiLCJhcHBsaWNhdGlvbklkIjoiNzkxMDM3MzQtOTdhYi00ZDFhLWFmMzctZTAwNmQwNWQyOTUyIiwicm9sZXMiOltdfQ.Mp0Pcwsz5VECK11Kf2ZZNF_SMKu5CgBeLN9ZOP04kZo

3. No Authentication Required

When an API that is marked with an unlocked icon such as    it means that you are not required to provide an Authorization header as part of the request. The API is either designed to be publicly accessible or the request may take a parameter that is itself secure.