Authentication

When testing APIs, many endpoints are protected and require proper authentication or authorization to access them. REST Assured supports different types of authentication methods to test secured APIs.

In this tutorial, you'll learn:

  1. What is Authentication and Authorization?
  2. Types of Authentication
  3. Basic Authentication
  4. Bearer Token Authentication (OAuth 2.0)
  5. API Key Authentication
  6. Handling Cookies and Sessions

What is Authentication and Authorization?

  • Authentication: Confirms who you are (like logging in with a username and password).
  • Authorization: Defines what you can do (like access to specific resources).

Example:

  1. Authentication: You log in to a bank's website.
  2. Authorization: You can view your account but not someone else's.

Types of Authentication in REST APIs

  1. Basic Authentication – Username & Password (e.g., HTTP Authorization header).
  2. Bearer Token (OAuth 2.0) – Secure token to access resources.
  3. API Key – Secret key shared between client and server.
  4. Session-Based – Cookies to maintain a user session.

Basic Authentication

In Basic Authentication, credentials are encoded in Base64 and sent in the request header.

Example: Basic Auth (Username & Password)

Imagine an API at https://api.example.com/login requires Basic Authentication.

Without REST Assured, the header looks like:

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Code Example (Basic Authentication)

Java
Copy
given()
    .auth().basic("yourUsername", "yourPassword")
    .when()
    .get("https://api.example.com/login")
    .then()
    .statusCode(200);  // Ensure the login is successful

Alternative: Using preemptive() for Faster Auth

Java
Copy
given()
    .auth().preemptive().basic("yourUsername", "yourPassword")
    .when()
    .get("https://api.example.com/secure")
    .then()
    .statusCode(200);

Why use preemptive()?

It sends credentials immediately without waiting for the server to request them.

Bearer Token Authentication (OAuth 2.0)

APIs using OAuth 2.0 require a Bearer Token for access. You usually:

  1. Get the token from an authorization server.
  2. Use the token in your API request.

Example: Bearer Token Authenticatio

n

Imagine the token is:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Code Example (Bearer Token)

Java
Copy
given()
    .auth().oauth2("yourBearerTokenHere")
    .when()
    .get("https://api.example.com/user/profile")
    .then()
    .statusCode(200)
    .body("username", equalTo("john_doe"));

Alternative: Manually Add Token to Headers

Java
Copy
given()
    .header("Authorization", "Bearer yourBearerTokenHere")
    .when()
    .get("https://api.example.com/orders")
    .then()
    .statusCode(200);

API Key Authentication

Some APIs require an API Key to identify the user. This key is usually sent:

  • In the request header
  • As a query parameter

Example: API Key in Headers

Imagine you have an API key:

1234567890abcdef

Code Example (API Key in Header)

Java
Copy
given()
    .header("x-api-key", "1234567890abcdef")
    .when()
    .get("https://api.example.com/data")
    .then()
    .statusCode(200);

Example: API Key in Query Parameter

Some APIs expect the key in the URL.

Java
Copy
given()
    .queryParam("api_key", "1234567890abcdef")
    .when()
    .get("https://api.example.com/data")
    .then()
    .statusCode(200);

Session-Based Authentication (Cookies)

Some APIs use sessions—you log in once and get a session cookie. REST Assured can capture and reuse these cookies.

Step 1: Capture the Session Cookie

Java
Copy
Response response = 
    given()
        .formParam("username", "user")
        .formParam("password", "pass")
        .when()
        .post("https://api.example.com/login");

String sessionId = response.getCookie("session_id");

Step 2: Use the Cookie for Future Requests

Java
Copy
given()
    .cookie("session_id", sessionId)
    .when()
    .get("https://api.example.com/dashboard")
    .then()
    .statusCode(200);

Digest Authentication

Digest Authentication is more secure than Basic Authentication because it hashes your credentials.

Example: Digest Auth

Java
Copy
given()
    .auth().digest("username", "password")
    .when()
    .get("https://api.example.com/protected")
    .then()
    .statusCode(200);

OAuth 1.0 Authentication

Some older APIs (like Twitter API) still use OAuth 1.0.

Example: OAuth 1.0

Java
Copy
given()
    .auth()
    .oauth("consumerKey", "consumerSecret", "accessToken", "secretToken")
    .when()
    .get("https://api.example.com/private")
    .then()
    .statusCode(200);

Summary

Authentication Type Method
Basic Authentication .auth().basic("user", "pass")
Preemptive Basic .auth().preemptive().basic()
Bearer Token (OAuth 2.0) .auth().oauth2("token")
API Key (Header) .header("x-api-key", "yourKey")
API Key (Query Param) .queryParam("api_key", "yourKey")
Session (Cookies) .cookie("session_id", "value")
Digest Authentication .auth().digest("user", "pass")
OAuth 1.0 Authentication .auth().oauth()