Authentication
Most REST APIs require credentials. TTMSFNCRESTClient centralizes them on the request's AuthorizationOptions so you do not build authorization headers or encode credentials by hand. You pick an AuthorizationType and fill in the matching fields; the component attaches the right header or query parameter when the request runs. This chapter walks through each scheme and when to use it.
Choosing an authorization scheme
AuthorizationType is a TTMSFNCRESTClientAuthorizationType value. The relevant fields depend on the scheme you choose.
| Type | What it adds | Fields used |
|---|---|---|
atNone |
Nothing (the default). | — |
atKeyHeader |
A custom header carrying an API key. | AuthorizationKey (header name), AuthorizationValue (key) |
atKeyQuery |
A key/value pair appended to the query string. | AuthorizationKey, AuthorizationValue |
atBearerToken |
An Authorization: Bearer <value> header. |
AuthorizationValue (token) |
atBasic |
An Authorization: Basic <base64> header. |
BasicUsername, BasicPassword |
atCustomHeader |
A fully custom authorization header. | AuthorizationKey, AuthorizationValue |
API key authentication
Many services issue a single API key. Send it as a header with atKeyHeader or in the query string with atKeyQuery, depending on what the service expects.
procedure TForm1.UseApiKey;
begin
{ atKeyHeader sends the key as a request header: AuthorizationKey is the
header name, AuthorizationValue is the key. }
TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationType := atKeyHeader;
TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationKey := 'X-API-Key';
TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationValue := 'abc123';
{ atKeyQuery instead appends the key to the query string as
AuthorizationKey=AuthorizationValue - use it for APIs that expect the
key in the URL. }
// TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationType := atKeyQuery;
TMSFNCRESTClient1.ExecuteRequestWithResultString;
end;
Bearer token authentication
OAuth 2.0 and similar token schemes use a bearer token. Set atBearerToken and put the raw token in AuthorizationValue — the component prepends Bearer for you.
procedure TForm1.UseBearerToken;
begin
{ atBearerToken adds an 'Authorization: Bearer <value>' header. Put the
raw token in AuthorizationValue - the component adds the 'Bearer ' prefix. }
TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationType := atBearerToken;
TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationValue := 'eyJhbGciOiJIUzI1NiIs...';
TMSFNCRESTClient1.ExecuteRequestWithResultString;
end;
HTTP basic authentication
For basic authentication, set atBasic and supply BasicUsername and BasicPassword. The component builds and Base64-encodes the credential header.
procedure TForm1.UseBasicAuth;
begin
{ atBasic builds the 'Authorization: Basic <base64>' header from the
user name and password - no manual Base64 encoding required. }
TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationType := atBasic;
TMSFNCRESTClient1.Request.AuthorizationOptions.BasicUsername := 'api_user';
TMSFNCRESTClient1.Request.AuthorizationOptions.BasicPassword := 's3cr3t';
TMSFNCRESTClient1.ExecuteRequestWithResultString;
end;
Combining authentication with the rest of the request
Authentication rarely stands alone — a real call also carries headers and reads a typed response. The example below sends a bearer-authenticated GET with an Accept header, checks the result, and parses the JSON body.
procedure TForm1.GetAuthenticatedJSON;
begin
TMSFNCRESTClient1.Request.Clear;
TMSFNCRESTClient1.Request.Method := rmGET;
TMSFNCRESTClient1.Request.URL := 'https://api.example.com/v1/profile';
{ Authentication + a companion header in the same request. }
TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationType := atBearerToken;
TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationValue := FAccessToken;
TMSFNCRESTClient1.Request.Headers.AddHeader('Accept', 'application/json');
TMSFNCRESTClient1.ExecuteRequestWithResultString(HandleProfile);
end;
procedure TForm1.HandleProfile(AResponseString: string);
var
LJSON: TJSONValue;
begin
LJSON := TTMSFNCUtils.ParseJSON(AResponseString);
if Assigned(LJSON) then
try
LabelName.Text := TTMSFNCUtils.GetJSONProp(LJSON, 'name');
LabelEmail.Text := TTMSFNCUtils.GetJSONProp(LJSON, 'email');
finally
LJSON.Free;
end;
end;
Common mistakes
- Including the prefix in the token. With
atBearerToken, store only the raw token inAuthorizationValue; the component addsBearer. StoringBearer eyJ...produces a doubled prefix. - Hard-coding secrets in source. Load tokens, keys, and passwords from secure storage or configuration at run time rather than committing them.
- Wrong field for the scheme.
atBasicreadsBasicUsername/BasicPassword; the key and token schemes readAuthorizationKey/AuthorizationValue. Filling the wrong pair sends no credentials.