REST API Authentication, Authorization, and Versioning

REST API•Permalink

Bearer auth, API keys, permission errors, versioning strategies, and compatibility patterns for HTTP APIs.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

## Authentication patterns

Bearer token header

↗#

Authorization: Bearer eyJhbGciOi...

# Send an OAuth or JWT access token.

API key header

↗#

X-API-Key: sk_live_123456

# Send a static API key in a header.

Do not put tokens in the URL

↗#

Avoid: GET /reports?access_token=abc123

# Keep credentials out of path and query strings.

Return 403 for insufficient role

↗#

HTTP/1.1 403 Forbidden

# Authenticated but lacks required permission.

## Versioning strategies

Path-based versioning

↗#

GET /v1/users

# Explicit major version in the URL.

Media type versioning

↗#

Accept: application/vnd.example.v2+json

# Negotiate version with the Accept header.

Date-based compatibility header

↗#

API-Version: 2026-03-01

# Pin behavior by release date.

Signal deprecations clearly

↗#

Deprecation: true
Sunset: Tue, 01 Sep 2026 00:00:00 GMT

# Warn clients before removing behavior.

More in REST API

REST API Best Practices and Anti-Patterns

High-signal design rules, consistency patterns, and common mistakes to avoid in production APIs.

REST API Request and Response Patterns

JSON request bodies, envelope choices, sparse fieldsets, includes, concurrency control, and common response contracts.

REST API Status Codes and Error Response Design

Practical HTTP status codes, error response bodies, validation failures, and troubleshooting-friendly API error contracts.

REST API Pagination, Filtering, Sorting, and Search

Common collection query patterns including offset pagination, cursor pagination, filtering, sorting, and search.

REST API Resource Naming and URL Design

Naming conventions for resources, relationships, nested endpoints, and clean URL design.

REST API Methods and Idempotency

HTTP methods, safe vs unsafe semantics, and idempotency examples for API consumers and designers.

Recommended next

No recommendations yet.

Browse all sheets →