Best practises regarding api key authentication
Hello! I'm working on an api for an app for which I'm using better-auth for authentication. This question isn't really a better-auth specific question, but I figured I'd ask here as it's the right context.
In my api I want to enable authentication through the use of API keys (in addition to the normal session authentication) so that clients easier can authenticate from code. However, I'm a bit stumped on whether to use Bearer tokens (https://swagger.io/docs/specification/v3_0/authentication/bearer-authentication/) or API keys (https://swagger.io/docs/specification/v3_0/authentication/api-keys/). What really is the difference? I've also heard a lot about JWT tokens; can they be used with API keys or are they locked in to Bearer tokens? I don't really understand the difference as both are sent in a header.
In my api I want to enable authentication through the use of API keys (in addition to the normal session authentication) so that clients easier can authenticate from code. However, I'm a bit stumped on whether to use Bearer tokens (https://swagger.io/docs/specification/v3_0/authentication/bearer-authentication/) or API keys (https://swagger.io/docs/specification/v3_0/authentication/api-keys/). What really is the difference? I've also heard a lot about JWT tokens; can they be used with API keys or are they locked in to Bearer tokens? I don't really understand the difference as both are sent in a header.
Swagger Docs
