In cURL, authentication is a crucial step for accessing protected resources. cURL supports various authentication methods including Basic Auth, Bearer Token, OAuth, and more.
Basic Authentication
Basic Auth is the simplest authentication method, encoding username and password in Base64 before sending.
# Method 1: Using -u parameter curl -u "username:password" https://api.example.com/protected # Method 2: Manual encoding (not recommended) curl -H "Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=" \ https://api.example.com/protected # Provide username only, cURL will prompt for password curl -u "username" https://api.example.com/protected # Read password from environment variable curl -u "username:$PASSWORD" https://api.example.com/protected
Bearer Token Authentication
Bearer Token is the most commonly used authentication method for modern APIs.
# Using Bearer Token curl -H "Authorization: Bearer your_access_token_here" \ https://api.example.com/protected # Combined with other parameters curl -X POST \ -H "Authorization: Bearer token123" \ -H "Content-Type: application/json" \ -d '{"name":"test"}' \ https://api.example.com/resource # Read token from file TOKEN=$(cat token.txt) curl -H "Authorization: Bearer $TOKEN" \ https://api.example.com/protected
API Key Authentication
API Keys are typically passed via query parameters or request headers.
# Query parameter method curl "https://api.example.com/data?api_key=your_api_key_here" # Request header method curl -H "X-API-Key: your_api_key_here" \ https://api.example.com/data # Custom header name curl -H "ApiKey: your_api_key_here" \ https://api.example.com/data
OAuth 2.0 Authentication
OAuth 2.0 is a complex authentication flow, usually involving multiple steps.
# Step 1: Get Access Token curl -X POST https://auth.example.com/oauth/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials" \ -d "client_id=your_client_id" \ -d "client_secret=your_client_secret" # Step 2: Use Access Token to access resources curl -H "Authorization: Bearer access_token_from_step1" \ https://api.example.com/protected # OAuth password grant curl -X POST https://auth.example.com/oauth/token \ -d "grant_type=password" \ -d "username=user@example.com" \ -d "password=user_password" \ -d "client_id=your_client_id"
Digest Authentication
Digest authentication is more secure than Basic Auth.
# Using --digest parameter curl --digest -u "username:password" \ https://api.example.com/protected
Authentication Methods Comparison
| Method | Security | Use Case | cURL Parameter |
|---|---|---|---|
| Basic Auth | Low (requires HTTPS) | Simple scenarios | -u |
| Bearer Token | Medium | API calls | -H "Authorization: Bearer" |
| API Key | Medium | Open APIs | -H "X-API-Key" or query param |
| OAuth 2.0 | High | Third-party authorization | Multi-step flow |
| Digest | High | Internal systems | --digest |
Practical Examples
# GitHub API authentication curl -H "Authorization: Bearer ghp_xxxx" \ https://api.github.com/user # AWS API (requires signing) curl -X GET "https://s3.amazonaws.com/bucket/file" \ -H "Authorization: AWS4-HMAC-SHA256 ..." # Complete authenticated API call curl -X POST https://api.example.com/orders \ -H "Authorization: Bearer token123" \ -H "Content-Type: application/json" \ -H "X-Request-ID: $(uuidgen)" \ -d '{"product_id": 123, "quantity": 2}'
Security Best Practices
- Use environment variables: Don't hardcode passwords in command line
- HTTPS required: Authentication must be transmitted over encrypted channels
- Token expiration: Regularly refresh access tokens
- Least privilege: Only request necessary permission scopes
- Log security: Avoid logging sensitive information