REST API auth method picker

Eight broad auth methods cover almost every REST API: Bearer tokens, API keys (header or query), Basic auth, session cookies, OAuth 2.0, mTLS, and HMAC-signed requests. Within OAuth, four current flows and two deprecated ones. This wizard picks one for your situation and flags common mistakes (API keys in query strings, JWT-as-session, OAuth implicit flow).

We’re opinionated: OAuth 2.0 Authorization Code with PKCE for user-facing apps (SPAs, mobile, native). API keys in headers, not query strings, for server-to-server. mTLS for high-security service-to-service. Implicit and Password grants are deprecated; we say so plainly.

Modes

Picker — one to three questions about your use case (user-facing? server-to-server? third-party access? device with limited input?) and you land on a recommended method, with an OAuth sub-picker when relevant.
Reference — each method with a real example request shape, when to use, when not to use, and common mistakes to avoid. OAuth flows have their own pages (/f/auth-code-pkce, /f/client-credentials, /f/device-code, …).

We’re not trying to teach OAuth from scratch — for that, the canonical resource is oauth.net. Our job is “pick the right method.”

Heads up: the interactive Picker and Reference modes need JavaScript. Per-method reference pages live at predictable URLs like /m/oauth2 and /f/auth-code-pkce.