API authentication is the process of verifying that a caller making an API request is who they claim to be and is authorised to access the requested resource. The three most common authentication mechanisms for web APIs are: API keys (long secret strings sent in a header or query parameter), OAuth 2.0 (delegated access using short-lived tokens obtained through an auth flow), and JSON Web Tokens (JWT — self-contained tokens that carry claims and are verified via cryptographic signature).
For web scraping, API authentication matters in two scenarios. First, when scraping data from sites that expose their data through authenticated APIs — intercepting the client-side requests to the API requires authenticating as a valid user, which means obtaining session tokens through a login flow or using service account credentials. Second, when using scraping services like AlterLab, which authenticate API callers via API keys passed in the `X-API-Key` header.
Common authentication header patterns: `Authorization: Bearer <token>` (OAuth/JWT), `Authorization: Basic <base64>` (username:password), `X-API-Key: <key>` (API key), `Cookie: session=<id>` (session-based). AlterLab uses the `X-API-Key` pattern with keys prefixed `sk_live_` for production and `sk_test_` for sandbox testing.