[SOUND] Welcome back.

Up to this point, I've relied on Django's authentication system to handle, well,

authentication for the API.

The session authentication that I've been using is best when I'm dealing with

clients that are running in the same session context as the website.

Usually these would be AJAX clients.

For example maybe I'm building a REST framework API for my courses and

a JavaScript app that will consume my API and display those courses.

This JavaScript app could be inside a Django template and all communication with

the API would be within the same context as the rest of the website.

What happens when I go to build a mobile app that needs data from my API?

I only need the data, not the HTML and CSS.

Session authentication isn't going to work very well in this scenario because there's

no session to take advantage of, so what can I use instead?

Token-based authentication would probably be a good choice.

Token auth takes advantage of a simple HTTP authentication method.

Instead of making the user log in and keep a session around,

a user is assigned a token which is usually a randomly generated string,

which they give to the server to prove who they are.

REST framework has built-in support for both session and token authentication.

There are also third party packages that had other authentication types too

like OAuth.

Check the teacher's notes for a link to the documentation on authentication,

which lists recommended third-party packages.

For now though, let me jump back into Workspaces to start getting this new

authentication scheme set up.

Okay, to use the token based auth, I've gotta come over here to Sessions and

I have to add one new thing to my installed apps.

I'm gonna add rest_framework.authtoken and

that makes the auth token stuff available and then I'm gonna

come all the way back down here to my REST framework dictionary and inside

here I have this default authentication classes and I'm gonna change instead of

session authentication I'm gonna change over here to token authentication.

So I have to run migrations now because I added that new project,

I have that new app.

So manage.py migrate and

that will create my token table, so that's cool, and

so now I need to generate a token for my admin user.

I'm gonna pop in here to my shell

and, all right, cool, and so let's handle all of this stuff.

Now, normally if you were doing this, you would have something set up to where you

automatically created a token whenever a user signed up.

I don't have that set up at the moment.

So, I'm not doing that.

I'm gonna do this the manual way.

All right, so import Token, and then from django.contrib.auth.models import User.

And my user is gonna be User.objects.get(

id=1) cuz it's my first one, I know who it is.

Let's check and make sure.

Yep, that's me.

All right, so then token = Token.objects.create

where the user is equal to that user.

And if I check out the key, then I get this nice big string.

So what I'm gonna do is I'm actually gonna take and I wanna copy that.

Copy and down here in the workspace I have this file it's called README.txt.

And if you check it out I put in here the username and

password for that default user.

And I'm gonna put in the token that was generated for me.

If you're using the Workspaces, you should have this database, and

it should have that same token, things should work fine.

If it doesn't, then you need to find out what the token key is and hold on to that.

Now I'm gonna keep a hold of this because I need to have it while I'm making

requests to the API here in a little bit.

If you're like man, I lost it.

I don't know what to do.

Let me get out of here and let me run my server.

Then what you can do is you can hop into your admin and

if you compare to tokens and you can see the token right.

Come right over here.

This is the key.

I would just copy and paste that.

So super handy and you can use this to of course create new tokens for other users.

All right, so with the token authentication configured,

I need a way to test my API endpoints and I can't, I can I can do this but

I'm not authed because I don't have the token, right?

And even if I log in, which I am logged in,

cuz I'm able to get an admin here, it doesn't work because I don't have a token,

so I need a way to test this and I'm gonna do that by using Postman.

So I will go to getpostman.com and there is a Chrome app and

there is a Mac app, and I actually already have the Chrome app installed but

if you don't have it installed, you just click this link and it'll be up and

running and everything's cool.

So I already have that installed.

Let's see, how do I go about getting, go to my apps.

There we go, and Postman, re-enable them.

All right, cool.

So I don't want to sign up.

All right, so this is Postman and Postman is pretty similar to using a web browser.

But you will put your URLs into here.

And I'm actually gonna go ahead, and let's just do that.

Notice this is a GET request.

I'll send that, and there's my data that comes back.

This should look pretty similar, pretty familiar.

It's pretty much the same thing it was before.

Let's see about posting one.

So I will post to that, and I'm gonna click here.

And see how we have Auth, Headers, Body, blah blah blah?

Okay, I'm gonna click on Body and

in form-data, I can go ahead and put in my information.

So I'll do title, let's add Python testing.

I'm gonna click OK got it cuz I'm tired of seeing that.

And for URL I'm gonna put in

httpsteamtreehouse.com/library/pythontest- ing.

All right so that's pretty much what I want.

So I'm doing this here instead of passing in raw JSON I could do raw

JSON right here in a raw But like this it just sends it in like it's form data and

the API knows how to handle that.

So I'm gonna go and I'm gonna click the Send button which will send a POST and

I got a 401 unauthorized, of course, as I should've cuz I'm not authenticated.

And I get that Authentication credentials were not provided.

So yeah, I actually wanted that!

I wanted that to happen because I'm not authorized.

You might be thinking it is authorization but

these are not the authorizations that we need to use.

It's actually here in Headers and

I need to add a new key which is Authorization and

my value is going to be Token, a space, and then my key, which, that's not my key.

Let's go back over here to my readme, copy the key, and paste it in there.

All right, cool.

So now I have my token, I have my authorization.

If I hit Send, I should get a 201.

Let me try.

And yap 201 and I get back my Python testing and that there are no reviews.

So awesome, the token auth is working just like I want.

Token authentication is now the default.

Using Postman let me test the API going forward pretty easily.

Something to keep in mind though is that requests from other domains require

a bit of setup.

Feel free to Google for CORS or Cross Origin Resource Sharing or

try the teacher's notes.

Get a snack take a walk and then join me in the next video where I'll dig a little

deeper into authorization and permissions.