Authorization
Authorization guidance for Authentication API flows, including API key, client ID, bearer-token use, and mixed public versus authenticated endpoint patterns.
Overview
The Authentication API uses a mixed model because it serves both public entry flows and authenticated user actions. Some endpoints are intended for public sign-up or login initiation, while others operate only after a valid user session exists.
As a result, this group combines application credentials, tenant credentials, and user bearer tokens depending on the operation.
Primary authentication models
The most common patterns in this group are:
apikeyplusclient_idfor public authentication entry points- bearer access tokens for authenticated user actions
- selected management-style credential combinations on specific routes
This group should be treated as mixed, not uniformly public or uniformly admin-only.
Required credentials
Depending on the endpoint, you may see:
apikeyclient_idclient_secretapisecretAuthorization: Bearer <access-token>X-LoginRadius-ApiKeyX-LoginRadius-ApiSecret- machine-to-machine bearer tokens on selected operations
Security schemes used in this group
The current public spec uses these schemes in the Authentication API group:
APIKeyClientIdBearerTokenApiSecretAPISecretClientSecretXLoginRadiusAPIKeyXLoginRadiusAPISecretM2MBearerToken
Practical interpretation
APIKeyandClientIdare the most common combination for public registration and login-style endpointsBearerTokenis used when the endpoint acts on an authenticated user sessionAPISecretandClientSecretappear on more sensitive or management-adjacent operationsX-LoginRadius-*header variants appear on selected routes and should be followed exactly when required
Headers and query parameters
Common auth inputs in this group include:
- query
apikey - query
client_id - query
apisecret - query
client_secret - header
Authorization: Bearer <token> - header
X-LoginRadius-ApiKey - header
X-LoginRadius-ApiSecret
Do not assume an access token replaces application credentials for public auth flows. Many authentication entry points still require application-level parameters.
Token usage guidance
Public auth flows
For registration, login, passwordless, or passkey entry points, expect tenant/app-level parameters such as apikey and client_id.
Authenticated user flows
For user profile, user update, or session-bound actions, expect a bearer token. Use:
Authorization: Bearer <access-token>
whenever the endpoint supports standard user-session authorization.
Sensitive or backend-only flows
Some routes expose administrative or elevated credential patterns. Those should remain server-side and should not be used directly from browser code.
Examples and common patterns
Typical patterns in this group include:
- initiating login with
apikeyandclient_id - completing user-scoped actions with a bearer access token
- calling verification or recovery operations with application credentials
- using backend-only secrets for specialized high-trust identity actions
Common auth errors and pitfalls
- using only a bearer token on endpoints that still require
apikeyandclient_id - exposing
client_secretorapisecretin frontend code - assuming all login endpoints share the same auth contract
- treating management-style security patterns as if they were safe for public flows
- forgetting that session-bound endpoints operate differently from registration or login initiation endpoints
Check each generated operation page before implementation, especially when moving between login, password, session, and user sub-sections.