API authentication: API keys vs OAuth 2.0
Northwind Cloud supports two authentication methods for its REST API: long-lived API keys for server-to-server integrations, and OAuth 2.0 for apps acting on behalf of a user. Choose based on who the request represents, not on convenience.
API keys
Generate a key under Settings → API keys. Pass it as a bearer token on every request. Keys inherit the permissions of the service account that created them.
curl https://api.northwind.cloud/v2/projects \
-H "Authorization: Bearer nw_live_8f3a…"
OAuth 2.0
Register an OAuth client, then run the standard authorization-code flow. Request only the scopes you need; users see and approve them on the consent screen.
- Redirect the user to
/oauth/authorizewith yourclient_idand scopes. - Exchange the returned code at
/oauth/tokenfor an access token. - Refresh tokens before they expire (default 8 hours).
Choosing between them
| API key | OAuth 2.0 | |
|---|---|---|
| Acts as | A service account | A specific user |
| Best for | Backend jobs, integrations | User-facing apps |
| Scope control | Service permissions | Per-user consent |
| Token life | Long-lived | Short, refreshable |
Machine-readable metadata
{
"id": "api-auth",
"version": "2.3",
"audience": ["developers"],
"owner": "platform-team",
"last_reviewed": "2026-06-02",
"next_review": "2026-12-02",
"confidence": "high",
"citations": 4,
"tags": ["authentication", "oauth"]
}
Sources / citations
- Northwind API Reference, “Authentication” (internal, v2.3)
- Security Standard SEC-014: Secret handling & rotation
- RFC 6749 — The OAuth 2.0 Authorization Framework
- Platform Team decision log, 2026-05-19