Authentication Guide
The Acme API supports multiple authentication methods depending on your use case.
API Keys
Section titled “API Keys”The simplest authentication method. Best for server-to-server communication.
curl -X GET "https://api.acme.com/v2/users" \ -H "Authorization: Bearer sk_live_abc123..."Key Types
Section titled “Key Types”| Type | Prefix | Use Case |
|---|---|---|
| Live | sk_live_ | Production applications |
| Test | sk_test_ | Development and testing |
OAuth 2.0
Section titled “OAuth 2.0”For applications that act on behalf of users.
curl -X GET "https://api.acme.com/v2/users/me" \ -H "Authorization: Bearer oauth_token_xyz..."Security Best Practices
Section titled “Security Best Practices”- Never expose keys in client-side code. Use a backend proxy instead.
- Rotate keys regularly by generating new keys periodically.
- Use environment variables rather than hardcoding keys in source code.
- Restrict key permissions to only grant necessary scopes.
Error Responses
Section titled “Error Responses”Authentication errors return 401 Unauthorized:
{ "error": { "code": "unauthorized", "message": "Invalid or expired API key" }}