Authentication¶
The Petstore API uses API keys for authorizing access to protected endpoints. Clients must include a valid API key in the request header while accessing operations that require authentication.
Authentication helps ensure that only authorized users or applications can perform specific actions such as creating, updating, or deleting resources.
Authentication Method¶
The API uses an API key-based authentication mechanism.
The API key must be passed in the request header using the following format:
Request Header Example¶
The following example shows how to include the API key in a request header:
curl -X GET "https://petstore.swagger.io/v2/pet/1" \
-H "accept: application/json" \
-H "api_key: special-key"
Authentication Workflow¶
The basic authentication flow is as follows:
- Generate or obtain a valid API key.
- Include the API key in the request header.
- Send the API request to the required endpoint.
- The server validates the API key before processing the request.
If the API key is valid, the request is processed successfully. Invalid or missing API keys may result in authorization errors.
Protected Operations¶
Authentication may be required for operations such as:
- Creating resources
- Updating existing records
- Deleting resources
- Accessing restricted endpoints
Some read-only endpoints may be accessed without authentication.
Unauthorized Request Example¶
The following example shows a typical unauthorized response:
Common Authentication Errors¶
| Status Code | Description |
|---|---|
| 400 | Invalid request |
| 401 | Authentication failed or API key missing |
| 403 | Access denied |
| 404 | Requested resource not found |
Security Best Practices¶
Follow these recommendations while working with API keys:
- Do not expose API keys in public repositories.
- Avoid hardcoding API keys in source code.
- Rotate API keys periodically if supported.
- Use secure channels such as HTTPS while sending requests.
- Restrict API key access based on application requirements.