<p>Authentication is the mechanism of associating an incoming request with a set of identifying credentials, such as the user the request came from, or the token that it was signed with. The <ahref="permissions">permission</a> and <ahref="throttling">throttling</a> policies can then use those credentials to determine if the request should be permitted.</p>
<p>REST framework provides a number of authentication policies out of the box, and also allows you to implement custom policies.</p>
<p>Authentication will run the first time either the <code>request.user</code> or <code>request.auth</code> properties are accessed, and determines how those properties are initialized.</p>
<p>The <code>request.auth</code> property is used for any additional authentication information, for example, it may be used to represent an authentication token that the request was signed with.</p>
<h2id="how-authentication-is-determined">How authentication is determined</h2>
<p>Authentication is always set as a list of classes. REST framework will attempt to authenticate with each class in the list, and will set <code>request.user</code> and <code>request.auth</code> using the return value of the first class that successfully authenticates.</p>
<p>If no class authenticates, <code>request.user</code> will be set to an instance of <code>django.contrib.auth.models.AnonymousUser</code>, and <code>request.auth</code> will be set to <code>None</code>.</p>
<p>The value of <code>request.user</code> and <code>request.auth</code> for unauthenticated requests can be modified using the <code>UNAUTHENTICATED_USER</code> and <code>UNAUTHENTICATED_TOKEN</code> settings.</p>
<p>This policy uses <ahref="http://tools.ietf.org/html/rfc2617">HTTP Basic Authentication</a>, signed against a user's username and password. User basic authentication is generally only appropriate for testing.</p>
<p><strong>Note:</strong> If you run <code>UserBasicAuthentication</code> in production your API must be <code>https</code> only, or it will be completely insecure. You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage.</p>
<p>If successfully authenticated, <code>UserBasicAuthentication</code> provides the following credentials.</p>
<ul>
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
<li><code>request.auth</code> will be <code>None</code>.</li>
<p>This policy uses <ahref="http://tools.ietf.org/html/rfc2617">HTTP Authentication</a> with no authentication scheme. Token basic authentication is appropriate for client-server setups, such as native desktop and mobile clients. The token key should be passed in as a string to the "Authorization" HTTP header. For example:</p>
<p><strong>Note:</strong> If you run <code>TokenAuthentication</code> in production your API must be <code>https</code> only, or it will be completely insecure.</p>
<p>If successfully authenticated, <code>TokenAuthentication</code> provides the following credentials.</p>
<p>To use the <code>TokenAuthentication</code> policy, you must have a token model. Django REST Framework comes with a minimal default token model. To use it, include <code>djangorestframework.tokenauth</code> in your installed applications and sync your database. To use your own token model, subclass the <code>djangorestframework.tokenauth.TokenAuthentication</code> class and specify a <code>model</code> attribute that references your custom token model. The token model must provide <code>user</code>, <code>key</code>, and <code>revoked</code> attributes. Refer to the <code>djangorestframework.tokenauth.models.BasicToken</code> model as an example.</p>
<p>This policy uses the <ahref="http://oauth.net/2/">OAuth 2.0</a> protocol to authenticate requests. OAuth is appropriate for server-server setups, such as when you want to allow a third-party service to access your API on a user's behalf.</p>
<p>If successfully authenticated, <code>OAuthAuthentication</code> provides the following credentials.</p>
<ul>
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
<li><code>request.auth</code> will be a <code>djangorestframework.models.OAuthToken</code> instance.</li>
<p>This policy uses Django's default session backend for authentication. Session authentication is appropriate for AJAX clients that are running in the same session context as your website.</p>
<p>If successfully authenticated, <code>SessionAuthentication</code> provides the following credentials.</p>
<ul>
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
<li><code>request.auth</code> will be <code>None</code>.</li>
<p>To implement a custom authentication policy, subclass <code>BaseAuthentication</code> and override the <code>authenticate(self, request)</code> method. The method should return a two-tuple of <code>(user, auth)</code> if authentication succeeds, or <code>None</code> otherwise.</p>