The Three Approaches
Choosing the right authentication method depends on your use case: who's calling your API, how much security you need, and how complex you're willing to get.
API Keys
A long, random string passed as a header or query parameter.
GET /api/data HTTP/1.1
X-API-Key: sk_live_abc123def456ghi789How it works: The server looks up the key in a database and maps it to an account.
Pros:
- Dead simple to implement
- Easy for developers to understand
- No token expiration to manage
Cons:
- No built-in scoping (all-or-nothing access)
- Hard to rotate without downtime
- Can be accidentally committed to git or exposed in URLs
- Database lookup on every request
Best for: Server-to-server APIs, developer platforms, rate limiting identifiers.
Examples: Stripe, SendGrid, OpenAI
OAuth 2.0
A delegation framework where users grant limited access to third-party apps.
How it works: The user authenticates with an authorization server, which issues scoped access tokens to the requesting application.
Pros:
- Users never share passwords with third-party apps
- Granular scoping (
read:email,write:repos) - Token revocation support
- Industry standard (RFC 6749)
Cons:
- Complex implementation (multiple flows, token management)
- Requires an authorization server
- Overkill for simple APIs
Best for: Third-party integrations, user-facing apps, social login.
Examples: GitHub, Google, Facebook login
JWT (JSON Web Tokens)
Self-contained tokens that carry claims about the user.
GET /api/data HTTP/1.1
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...How it works: The server validates the token's signature and reads claims from the payload. No database lookup needed.
Pros:
- Stateless — no server-side session storage
- Self-contained — carries user info in the payload
- Fast validation (no DB lookup)
- Works well with microservices
Cons:
- Cannot be revoked once issued (without a blacklist)
- Payload is readable (not encrypted)
- Token size can be large
- Security pitfalls (alg:none, key confusion)
Best for: Microservices, stateless APIs, first-party auth.
Decision Matrix
| Criteria | API Key | OAuth 2.0 | JWT |
|---|---|---|---|
| Complexity | Low | High | Medium |
| Third-party access | No | Yes | No |
| User consent | No | Yes | No |
| Stateless | No | Optional | Yes |
| Revocable | Yes (DB) | Yes | No (without blacklist) |
| Scoping | Manual | Built-in | Custom claims |
Common Combinations
In practice, these are often used together:
- OAuth 2.0 + JWT: OAuth issues JWTs as access tokens (most common modern setup)
- API Keys + JWT: API key for service identification, JWT for user auth
- API Keys + OAuth: API key for rate limiting, OAuth for user access
Recommendation
- Public developer API → API Keys (simple, well-understood)
- Third-party integrations → OAuth 2.0 (user consent, scoping)
- Microservices / SPA → JWT (stateless, fast validation)
- All three → API key for identification + OAuth for auth + JWT for tokens