Authentication between APIs

Good morning all,

We have several older ServiceStack projects that support cookie based authentication. We are now starting with newer API projects that are token based. We have one API method that needs to call another API in another service that supports cookie based authentication.

I am just wondering whether the token based service should authenticate against the cookie based service each time? Or should the authentication be one time only and the cookies saved? This is what we do for webapps calling APIs, but am not sure if this design is recommended for an API calling another API method.


You can use JWT although I’d prefer to using the API Key Auth Provider and send the same API Key each time.

You can improve performance by enabling Cached API Key Sessions which will skip Authentication after the initial request for the specified duration, e.g:

Plugins.Add(new AuthFeature(...,
    new IAuthProvider[] {
        new ApiKeyAuthProvider(AppSettings) {
            SessionCacheDuration = TimeSpan.FromMinutes(10),

Another solution if it’s an API you trust/control, you create a JWT manually with a long-lived expiry which basically lets you use it like an API Key (without needing to register the API Key AuthProvider) which will negate needing to Authenticate the API Server and keeping Username/Credentials in your AppHost configuration as you’ll be able to use the generated JWT as your API key.

Thanks Demis.

Just to clarify:

Our scenario is as follows and this is what I assumed:

API 1 [Token based] —> Call method in API 2 [Cookie based]
API 1 calls authenticate on API 2 using our internal key and API 2 then returns ss-pid cookies.

On the next call to API2, just send the cookies with the request?

OR is there no need for the cookies with API Key based authentication?

Both JWT and API Key don’t use cookies or require additional call for authentication, you’d just be populating the BearerToken with the JWT or API Key (depending on which one you use), e.g:

var client = new JsonHttpClient(baseUrl) {
    BearerToken = jwtOrApiKey

Which will let you call APIs requiring authentication.