Skip to content
On this page
Reference → Airnode → v0.11 → Concepts and Definitions

Airnode Authentication

API providers can instruct Airnode to authenticate requests to their endpoints. This is done by setting up a security scheme in the config.json file for their Airnode. Airnode supports three methods of authentication from the OpenAPI specification.

OAS OpenAPI Specification uses the term security scheme for authentication and authorization schemes. Airnode only uses standard OAS defined authentication schemes to identify itself to API endpoints. Airnode supports two types of authentication, http and apiKey.

  • HTTP authentication schemes (using the Authorization header) supported by Airnode:
  • API key in the request header, cookie in header or query string

How Airnode sends the authentication data is explained in the sections Basic, Bearer and API Key below.


Basic authentication is a simple authentication scheme built into the HTTP protocol. The Authorization request header contains the Base64-encoded username and password, separated by a colon. When handling the request, the server decodes the login details and checks if the user can access the requested content.

The header field is in the form of Authorization: Basic <credentials> where credentials is the Base64 encoding of a username and password joined by a single colon (airnode:airnode-password).

Authorization: Basic <credentials>

curl -H "Authorization: Basic YW5kZXJzb25AZ21haWwuY29tOjEyM215cGFzc3dvcmQ=" \


Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The API provider supplies a token used by Airnode to authenticate itself to API endpoints.

The header field is in the form of Authorization: Bearer <token>.

curl -H "Authorization: Bearer RZ8Y65TG" \
  -X GET


Some APIs use an apiKey for authentication. The API provider supplies an apiKey used by Airnode to authenticate itself to API endpoints. Airnode can send the apiKey three ways.

# In the query string.
curl -X GET

# In the request header.
curl -H "X-API-KEY: abcdef12345" \
  -X GET

# As a cookie in the request header.
curl -H "Cookie: X-API-KEY:abcdef12345" \
  -X GET

Released under the MIT License.