What is the difference between API keys and OAuth 2.0?
Answer
API keys are static tokens issued to an application, sent in headers (X-API-Key: abc123) or query params. They are simple to implement and ideal for server-to-server communication, but they cannot represent a specific user's permissions, do not expire automatically, and are dangerous if leaked (no built-in revocation). OAuth 2.0 is a full authorization framework that issues short-lived access tokens and refresh tokens. It supports delegated authorization (a user granting an app access to their data without sharing their password), scopes for fine-grained permissions, token expiry and revocation, and multiple client types. Use API keys for simple internal integrations or when a user context is not needed. Use OAuth 2.0 for user-delegated access, third-party integrations, and any scenario requiring fine-grained authorization.
Previous
What is JWT and how is it validated in REST APIs?
Next
What is CORS and how does a preflight request work?
More REST API Design Questions
View all →- Intermediate What is HATEOAS and how is it implemented?
- Intermediate What are the main API versioning strategies in REST and what are their tradeoffs?
- Intermediate What are the pagination strategies in REST APIs?
- Intermediate What is rate limiting and how is it communicated in REST APIs?
- Intermediate How does HTTP caching work in REST APIs with ETag and Cache-Control?