1
00:00:00,729 --> 00:00:03,370
Hi and welcome to this video on using

2
00:00:03,370 --> 00:00:06,249
simple authentication with Postman. So

3
00:00:06,249 --> 00:00:07,720
some APIs are public and they allow

4
00:00:07,720 --> 00:00:09,639
anyone to interact with them, but in many

5
00:00:09,639 --> 00:00:11,740
cases actions will be restricted by

6
00:00:11,740 --> 00:00:14,230
authentication authorization. So in order

7
00:00:14,230 --> 00:00:16,180
to interact with an API you will often

8
00:00:16,180 --> 00:00:17,920
need to authenticate yourself in some

9
00:00:17,920 --> 00:00:19,720
way. There are a number of different ways

10
00:00:19,720 --> 00:00:22,120
that this can be done, and often approach

11
00:00:22,120 --> 00:00:24,550
taken will vary from one API to the next,

12
00:00:24,550 --> 00:00:25,930
so you'll need to figure out what the

13
00:00:25,930 --> 00:00:28,480
API that you're testing offers. But we'll

14
00:00:28,480 --> 00:00:30,100
quickly highlight in this video a few of

15
00:00:30,100 --> 00:00:32,229
the common options, that you know have an

16
00:00:32,229 --> 00:00:34,810
idea of how to approach this topic. So if

17
00:00:34,810 --> 00:00:36,520
you're working with a public API, a

18
00:00:36,520 --> 00:00:38,200
common way to get access is through

19
00:00:38,200 --> 00:00:40,420
something called a personal token. These

20
00:00:40,420 --> 00:00:42,460
are tokens that you can easily generate

21
00:00:42,460 --> 00:00:44,620
within an application, and they make it

22
00:00:44,620 --> 00:00:46,570
easy to get programmatic access to the

23
00:00:46,570 --> 00:00:49,090
API. So these tokens can be set up to

24
00:00:49,090 --> 00:00:50,770
restrict things in different ways and

25
00:00:50,770 --> 00:00:53,170
they're quite popular. Let's take a look

26
00:00:53,170 --> 00:00:54,760
at a real-life example of this. So we

27
00:00:54,760 --> 00:00:58,540
have here GitHub, and in GitHub we can go

28
00:00:58,540 --> 00:01:01,700
to the settings,

29
00:01:01,700 --> 00:01:04,190
and then we can scroll down here to

30
00:01:04,190 --> 00:01:06,349
developer settings, we'll click on that

31
00:01:06,349 --> 00:01:08,510
and then we can add a personal access

32
00:01:08,510 --> 00:01:10,970
token. So let's create or generate a new

33
00:01:10,970 --> 00:01:13,910
token, we'll give it a name we'll just

34
00:01:13,910 --> 00:01:17,510
call it test for now, our test off token

35
00:01:17,510 --> 00:01:19,910
sure we'll call it that, and then we'll

36
00:01:19,910 --> 00:01:23,180
go down here we'll give it delete repo

37
00:01:23,180 --> 00:01:25,490
permissions. That says this token is

38
00:01:25,490 --> 00:01:28,190
allowed to delete repo. And let's

39
00:01:28,190 --> 00:01:31,010
generate that token, and we'll go ahead

40
00:01:31,010 --> 00:01:34,220
and copy it, and then we'll go over to

41
00:01:34,220 --> 00:01:37,310
Postman. And in Postman you can see I've

42
00:01:37,310 --> 00:01:40,070
set up a delete call here to delete a

43
00:01:40,070 --> 00:01:42,680
repo. But first let's try it with no auth,

44
00:01:42,680 --> 00:01:45,110
so there's no authentication or

45
00:01:45,110 --> 00:01:47,390
authorization set up, and let's see what

46
00:01:47,390 --> 00:01:49,420
happens. So we'll send that command and

47
00:01:49,420 --> 00:01:51,920
we get this message back, you must have

48
00:01:51,920 --> 00:01:54,200
admin rights to the repository. Ok so we

49
00:01:54,200 --> 00:01:56,420
don't have the correct permissions. So

50
00:01:56,420 --> 00:01:58,100
now let's try to use our token and see

51
00:01:58,100 --> 00:02:00,440
what happens. So we'll go down here we'll

52
00:02:00,440 --> 00:02:03,740
choose bearer token, and we'll just paste

53
00:02:03,740 --> 00:02:06,840
in the token that we copied.

54
00:02:06,840 --> 00:02:10,860
And now let's take a quick look just at

55
00:02:10,860 --> 00:02:12,568
what's going on here. So let's preview

56
00:02:12,568 --> 00:02:15,180
the request, so we'll preview it. Now we

57
00:02:15,180 --> 00:02:16,980
can see it's added this little headers

58
00:02:16,980 --> 00:02:19,050
thing, let's go look at that. And here in

59
00:02:19,050 --> 00:02:20,970
the headers we have an authorization key,

60
00:02:20,970 --> 00:02:24,720
and then it added bearer in front of the

61
00:02:24,720 --> 00:02:26,610
token that we had. Now Bearer just tells

62
00:02:26,610 --> 00:02:27,930
us that we're using something called

63
00:02:27,930 --> 00:02:30,030
OAuth, it's just a way of letting the

64
00:02:30,030 --> 00:02:32,580
server know what kind of token this is

65
00:02:32,580 --> 00:02:34,950
so that knows what it's doing, and then

66
00:02:34,950 --> 00:02:36,840
this authorization header is what tells

67
00:02:36,840 --> 00:02:38,549
the server that we're looking at the

68
00:02:38,549 --> 00:02:40,380
authorization here. So we've got

69
00:02:40,380 --> 00:02:41,790
everything set up, and let's actually

70
00:02:41,790 --> 00:02:43,709
send this command and see what happens.

71
00:02:43,709 --> 00:02:46,650
And now we don't get the permissions

72
00:02:46,650 --> 00:02:48,510
area anymore, we have this 2a4 know

73
00:02:48,510 --> 00:02:50,280
content, that means the content has been

74
00:02:50,280 --> 00:02:52,950
removed and our command was successful.

75
00:02:52,950 --> 00:02:54,780
And so we can see that it's pretty easy

76
00:02:54,780 --> 00:02:57,030
to set things up in the case of GitHub,

77
00:02:57,030 --> 00:02:59,640
and a lot of other APIs will have this

78
00:02:59,640 --> 00:03:01,349
kind of functionality available for you.

79
00:03:01,349 --> 00:03:03,750
So that is one simple way that you can

80
00:03:03,750 --> 00:03:06,540
do authorization, is if you have a token

81
00:03:06,540 --> 00:03:08,549
you can just add the token in as a

82
00:03:08,549 --> 00:03:10,799
bearer token, other options - you might

83
00:03:10,799 --> 00:03:14,190
use oauth2 which is very similar we

84
00:03:14,190 --> 00:03:15,930
could have used the same access token

85
00:03:15,930 --> 00:03:18,269
here in oh oh ah -. And then another

86
00:03:18,269 --> 00:03:20,069
option that you might see sometimes is

87
00:03:20,069 --> 00:03:22,799
basic auth, and basic auth is kind of

88
00:03:22,799 --> 00:03:24,870
like it sounds right, we just give our

89
00:03:24,870 --> 00:03:28,079
username and our password, and then we

90
00:03:28,079 --> 00:03:31,049
can authenticate and authorize against

91
00:03:31,049 --> 00:03:33,180
those. So by setting these up it allows

92
00:03:33,180 --> 00:03:35,940
us to be able to send the commands that

93
00:03:35,940 --> 00:03:38,459
we want to the server, and do things that

94
00:03:38,459 --> 00:03:40,769
require authorization or authentication

95
00:03:40,769 --> 00:03:43,680
in order to do. Now this is just a really

96
00:03:43,680 --> 00:03:46,019
quick overview of authorization and how

97
00:03:46,019 --> 00:03:47,400
to approach it, but fortunately for us

98
00:03:47,400 --> 00:03:49,349
Postman abstracts away a lot of

99
00:03:49,349 --> 00:03:51,180
complexity of this, there's actually a

100
00:03:51,180 --> 00:03:52,769
lot of complexity going on behind the

101
00:03:52,769 --> 00:03:54,870
hood here. But hopefully then if you're

102
00:03:54,870 --> 00:03:56,250
using Postman it won't be too difficult

103
00:03:56,250 --> 00:03:58,169
to figure out authentication with the

104
00:03:58,169 --> 00:04:01,230
API that you're working on. And that

105
00:04:01,230 --> 00:04:02,489
brings us to the end of this video. In

106
00:04:02,489 --> 00:04:04,169
the next video, we'll talk about some of

107
00:04:04,169 --> 00:04:05,880
the risks that there are around using

108
00:04:05,880 --> 00:04:10,880
services and APIs, hope to see you there.