Table of Contents

Authentication

Most REST APIs require credentials. TTMSFNCRESTClient centralizes them on the request's AuthorizationOptions so you do not build authorization headers or encode credentials by hand. You pick an AuthorizationType and fill in the matching fields; the component attaches the right header or query parameter when the request runs. This chapter walks through each scheme and when to use it.

Choosing an authorization scheme

AuthorizationType is a TTMSFNCRESTClientAuthorizationType value. The relevant fields depend on the scheme you choose.

Type What it adds Fields used
atNone Nothing (the default).
atKeyHeader A custom header carrying an API key. AuthorizationKey (header name), AuthorizationValue (key)
atKeyQuery A key/value pair appended to the query string. AuthorizationKey, AuthorizationValue
atBearerToken An Authorization: Bearer <value> header. AuthorizationValue (token)
atBasic An Authorization: Basic <base64> header. BasicUsername, BasicPassword
atCustomHeader A fully custom authorization header. AuthorizationKey, AuthorizationValue

API key authentication

Many services issue a single API key. Send it as a header with atKeyHeader or in the query string with atKeyQuery, depending on what the service expects.

procedure TForm1.UseApiKey;
begin
  { atKeyHeader sends the key as a request header: AuthorizationKey is the
    header name, AuthorizationValue is the key. }
  TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationType := atKeyHeader;
  TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationKey := 'X-API-Key';
  TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationValue := 'abc123';

  { atKeyQuery instead appends the key to the query string as
    AuthorizationKey=AuthorizationValue - use it for APIs that expect the
    key in the URL. }
  // TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationType := atKeyQuery;

  TMSFNCRESTClient1.ExecuteRequestWithResultString;
end;

Bearer token authentication

OAuth 2.0 and similar token schemes use a bearer token. Set atBearerToken and put the raw token in AuthorizationValue — the component prepends Bearer for you.

procedure TForm1.UseBearerToken;
begin
  { atBearerToken adds an 'Authorization: Bearer <value>' header. Put the
    raw token in AuthorizationValue - the component adds the 'Bearer ' prefix. }
  TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationType := atBearerToken;
  TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationValue := 'eyJhbGciOiJIUzI1NiIs...';

  TMSFNCRESTClient1.ExecuteRequestWithResultString;
end;

HTTP basic authentication

For basic authentication, set atBasic and supply BasicUsername and BasicPassword. The component builds and Base64-encodes the credential header.

procedure TForm1.UseBasicAuth;
begin
  { atBasic builds the 'Authorization: Basic <base64>' header from the
    user name and password - no manual Base64 encoding required. }
  TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationType := atBasic;
  TMSFNCRESTClient1.Request.AuthorizationOptions.BasicUsername := 'api_user';
  TMSFNCRESTClient1.Request.AuthorizationOptions.BasicPassword := 's3cr3t';

  TMSFNCRESTClient1.ExecuteRequestWithResultString;
end;

Combining authentication with the rest of the request

Authentication rarely stands alone — a real call also carries headers and reads a typed response. The example below sends a bearer-authenticated GET with an Accept header, checks the result, and parses the JSON body.

procedure TForm1.GetAuthenticatedJSON;
begin
  TMSFNCRESTClient1.Request.Clear;
  TMSFNCRESTClient1.Request.Method := rmGET;
  TMSFNCRESTClient1.Request.URL := 'https://api.example.com/v1/profile';

  { Authentication + a companion header in the same request. }
  TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationType := atBearerToken;
  TMSFNCRESTClient1.Request.AuthorizationOptions.AuthorizationValue := FAccessToken;
  TMSFNCRESTClient1.Request.Headers.AddHeader('Accept', 'application/json');

  TMSFNCRESTClient1.ExecuteRequestWithResultString(HandleProfile);
end;

procedure TForm1.HandleProfile(AResponseString: string);
var
  LJSON: TJSONValue;
begin
  LJSON := TTMSFNCUtils.ParseJSON(AResponseString);
  if Assigned(LJSON) then
  try
    LabelName.Text := TTMSFNCUtils.GetJSONProp(LJSON, 'name');
    LabelEmail.Text := TTMSFNCUtils.GetJSONProp(LJSON, 'email');
  finally
    LJSON.Free;
  end;
end;

Common mistakes

  • Including the prefix in the token. With atBearerToken, store only the raw token in AuthorizationValue; the component adds Bearer . Storing Bearer eyJ... produces a doubled prefix.
  • Hard-coding secrets in source. Load tokens, keys, and passwords from secure storage or configuration at run time rather than committing them.
  • Wrong field for the scheme. atBasic reads BasicUsername/BasicPassword; the key and token schemes read AuthorizationKey/AuthorizationValue. Filling the wrong pair sends no credentials.

See also