Authentication Patterns

Overview

Every API requires authentication. The method varies by vendor, security posture, and use case, but the patterns are finite. This section documents the five authentication patterns you will encounter across any API on the internet, with curl examples, dsec integration, and netapi CLI equivalents.

Authentication Methods

Method	Use Case	Security Level	Common APIs
HTTP Basic	Internal APIs, legacy systems, quick prototyping	Low (credentials in every request)	Cisco ISE ERS, Elasticsearch, Jenkins, Nexus
OAuth2 / OIDC	Delegated access, machine-to-machine, SSO	High (short-lived tokens, scoped access)	Azure AD, Keycloak, Auth0, GitHub Apps, Google APIs
API Keys / Bearer Tokens	Developer APIs, service integrations	Medium (long-lived, no expiry by default)	GitHub PATs, GitLab, Cloudflare, Stripe, AWS API Gateway
Mutual TLS	High-security internal, certificate-based identity	Very High (cryptographic identity, no shared secrets)	Cisco pxGrid, banking APIs, service mesh (Istio/Linkerd)
HMAC Signatures	Request integrity, tamper-proof API calls	High (request-level signing, replay protection)	AWS SigV4, some payment gateways, webhook verification

Method

Use Case

Security Level

Common APIs

HTTP Basic

Internal APIs, legacy systems, quick prototyping

Low (credentials in every request)

Cisco ISE ERS, Elasticsearch, Jenkins, Nexus

OAuth2 / OIDC

Delegated access, machine-to-machine, SSO

High (short-lived tokens, scoped access)

Azure AD, Keycloak, Auth0, GitHub Apps, Google APIs

API Keys / Bearer Tokens

Developer APIs, service integrations

Medium (long-lived, no expiry by default)

GitHub PATs, GitLab, Cloudflare, Stripe, AWS API Gateway

Mutual TLS

High-security internal, certificate-based identity

Very High (cryptographic identity, no shared secrets)

Cisco pxGrid, banking APIs, service mesh (Istio/Linkerd)

HMAC Signatures

Request integrity, tamper-proof API calls

High (request-level signing, replay protection)

AWS SigV4, some payment gateways, webhook verification

Choosing an Authentication Method

Start with the API’s documentation. Most APIs support exactly one method — you do not choose; the vendor chose for you.

When you are designing an API or have a choice:

Internal tooling, single user — Basic Auth over HTTPS is sufficient. Do not over-engineer.
Multi-tenant, delegated access — OAuth2 Client Credentials or Authorization Code flow.
Developer self-service — API keys with rotation policy.
Zero-trust, service-to-service — mTLS with short-lived certificates.
Request integrity required — HMAC signatures (AWS model).

Common Pattern: dsec + netapi

All authentication methods follow the same operational workflow:

# 1. Store credentials in dsec (once)
dsec edit d000 dev/network

# 2. Load credentials into environment
dsource d000 dev/network

# 3. Use netapi (reads from environment)
netapi ise ers endpoints list

# 4. Clean up
dsunsource

netapi resolves credentials in this order:

Explicit CLI flags (--user, --token, --cert)
Environment variables (loaded via dsec)
Configuration file (~/.config/netapi/config.toml)

Each sub-page documents the specific dsec variables and CLI flags for its authentication method.