# Authentication Fundamentals
All DreamFactory APIs are private by default, requiring at minimum an API key for authentication purposes. The API key is associated with a role-based access control (RBAC) which determines what actions the client responsible for supplying the API key can undertake with regards to the API. For instance, it's possible to create a read-only RBAC which ensures the client can't access the API's insertion, modification, or deletion endpoints if they exist. If you're interested in protecting a database-backed API, you could limit access to a specific table, view, or stored procedure.
Further, DreamFactory supports both anonymous and user-based authentication. The former pertains to the provision of solely an API key, meaning DreamFactory won't possess any additional information regarding the user responsible for issuing API calls through the client. However in many cases you'll want to identify the connecting user by requiring authentication via an authentication provider such as Active Directory, LDAP, or Okta. In fact, DreamFactory supports these providers and more, including:
- Basic Authentication
- Active Directory
- OpenID Connect
- OAuth, including support for providers such as Facebook and GitHub
- SAML 2.0
# The Authentication Process
Regardless of whether the desired authentication approach is anonymous or user-based, you'll always supply an API key. This API key is passed along with the request via the
X-DreamFactory-Api-Key header. DreamFactory will confirm the key exists (all API keys are listed under the administration console's
Apps tab), and then review the associated RBAC to confirm the request method and URI are permissible according to the RBAC definition.
When user-based authentication is used, DreamFactory will additionally expect a JSON Web Token (JWT) be passed along via the
X-DreamFactory-Session-Token header. This JWT is generated by DreamFactory following a successful authentication against the authentication service provider. The following diagram outlines the authentication flow when using a third-party authentication provider such as Active Directory:
Once successfully authenticated, DreamFactory will generate the JWT and return it to the client. This JWT should then be submitted along with each subsequent request. DreamFactory will check the token's validity and signature, examine the associated user's assigned RBAC (role-based access controls can be assigned on a per user-basis via the user's
Roles tab), and if everything checks out the API call will be processed. The following diagram outlines this process: