Unauthorized error

Hi All,
Have configured API with API key and Basic authentication. When we pass invalid user id, valid API key getting status code → 401, statusMessage → Unauthorized and also when we have valid user credentials and invalid API key getting status code → 401, statusMessage → Unauthorized due to which we are sending same error message to invoker which is not a valid one. Is there any way we can differentiate this error types.


RFC - This is what I see in the RFC7235 ([link](Reference - RFC 7235 - Hypertext Transfer Protocol (HTTP/1.1): Authentication))


I asked this question internally -

Question - Is API Key used for Authentication or Authorization, when combined with basic authentication credentials? It does identify the consumer, but the question is whether it plays a part in authentication/authorization.

Scenario - In a scenario where valid credentials are passed but with an invalid API Key, the GW responds with 401 Unauthorized. Is 401 accurate here, or must it be a different code?

The following response is courtesy of @John_Carter4 -

"Important to remember that the API key identifies the consumer (i.e. app) not necessarily the user, so some other form of authentication should be used for authorization.

As to the response code from a security perspective we don’t want to give away too much information so a 401 unauthorized is fine. We don’t want a hacker to be able to determine if an API key is correct but not the login etc. etc."


This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.