Web app authentication, information exchanges and user security.
What is Authentication?
Authentication is a process by which developers verify a user’s, well, authenticity. It ensures that your app can confirm the identity of a user, and secure their content from unauthorized bots or users.
In my last post entitled “Enter the Internet,” I discuss HTTP (Hyper Text Transfer Protocol), which is essentially a language that browsers speak in order to communicate with servers. I also discuss the request-response cycle that uses HTTP to send requests to a particular server via the browser on a user’s remote device, and receive responses from the server that then render as results on a page.
In the authentication process, a user will send a request to a server in order to access their own unique information by entering a username, email, password etc. The website or application will then check the user’s input against the login information stored in its server for that particular account. If these details match, the browser or app will render all unique information associated with the login credentials.
Access Tokens
An access token is essentially a secure bit of code, or “object,” that encloses the login information and profile of a user after their credentials have been verified successfully. It also protects this information throughout the user’s use of the app or website. This prevents the user from having to repeatedly log in every time the user accesses new information within the same Single Page Application. Think “Home,” “Messages,” and “Feed” tabs on Instagram: without access tokens, you would have to log in separately for each page of information.
Tokens will often expire over time, so that the application can ensure that the same user is accessing the information after long periods. This is why when you leave an app for a time, it might ask you to re-enter your credentials when you open it once more.
API Keys
All this talk of “tokens” and “keys” has got me wanting to binge Lord of the Rings, amirite? Okay, back to business. APIs, which I also discussed in my last post, are software intermediaries, external databases, that help applications interact with each other and use one another’s information.
Users aren’t the only ones being authenticated by applications. Sometimes, another application will need access to a particular app in order to supply their own server with said app’s information to serve a given purpose. For example, when you use a particular song in your Instagram story (App 1), IG makes a request to Spotify (App 2) in order to access the information necessary to play the song, and does so repeatedly every time a follower views your story. API keys facilitate this sort of exchange.
Developers can generally access a given application’s API (external database) when building an app. They get access to an API, which are sometimes free and sometimes pay-per-request, by using an API key unique to their app and the API being accessed.. META! API keys are generally long, random strings of numbers and letters. They are sent with an application’s request to the API. So every time a user using your app clicks the magnifying glass on your search bar, a request with your application’s API key is sent to their application’s external data base. Their information is then rendered — whatever is considered relevant to your user.
