Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

Python Flask REST API API Protection Generating Tokens

1 Answer

Chris Howell
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Chris Howell
Python Web Development Techdegree Graduate 49,610 Points

Hi Alexey Kislitsin

So you will notice that initially he sent a GET request to /api/v1/users/token right?

You will want to take note of what he is doing at about 1:38s mark.

First he sends a POST using Basic Auth. This basically is emulation the submission of a Form, like a "Login Form" on a website. When he Sends you will notice he gets his proper JSON response back and in PostMan you will notice at the 1:48s mark. To the right of the Username field it says in small writing, The authorization header will be generated and added as a custom header. Which you can later see around the 9:40s mark when he changes the value of what Authorization key is holding from Basic .... to Token. When he hit send on that Basic style it auto generated those headers.

Soon after he switches to No Auth and changes Basic to Token and the API is set to look for Token auth first and fall back to Basic.

Tokens are meant to be generated on the fly. Each request sent They are meant to be encrypted so they are difficult or impossible to break but they need to be able to be encrypted the same way so that even though they tokens are different they have a way to be compared/validated without being able to decrypt them. If that makes sense? This makes them pretty secure as long as no one can get a hold of your token :)

Now the reason Kenneths was staying the same around 10min mark. He was using No Auth and he was explicitly passing the head Auth Token with the request it was not being generated again.

Does this help at all?