<p>Authentication is the mechanism of associating an incoming request with a set of identifying credentials, such as the user the request came from, or the token that it was signed with. The <ahref="permissions.html">permission</a> and <ahref="throttling.html">throttling</a> policies can then use those credentials to determine if the request should be permitted.</p>
<p>REST framework provides a number of authentication policies out of the box, and also allows you to implement custom policies.</p>
<p>Authentication will run the first time either the <code>request.user</code> or <code>request.auth</code> properties are accessed, and determines how those properties are initialized.</p>
<h2id="setting-the-authentication-policy">Setting the authentication policy</h2>
<p>The default authentication policy may be set globally, using the <code>DEFAULT_AUTHENTICATION_CLASSES</code> setting. For example.</p>
<p>This policy uses <ahref="http://tools.ietf.org/html/rfc2617">HTTP Basic Authentication</a>, signed against a user's username and password. User basic authentication is generally only appropriate for testing.</p>
<p><strong>Note:</strong> If you run <code>UserBasicAuthentication</code> in production your API must be <code>https</code> only, or it will be completely insecure. You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage.</p>
<p>If successfully authenticated, <code>UserBasicAuthentication</code> provides the following credentials.</p>
<ul>
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
<li><code>request.auth</code> will be <code>None</code>.</li>
<p>This policy uses <ahref="http://tools.ietf.org/html/rfc2617">HTTP Basic Authentication</a>, signed against a token key and secret. Token basic authentication is appropriate for client-server setups, such as native desktop and mobile clients.</p>
<p><strong>Note:</strong> If you run <code>TokenBasicAuthentication</code> in production your API must be <code>https</code> only, or it will be completely insecure.</p>
<p>If successfully authenticated, <code>TokenBasicAuthentication</code> provides the following credentials.</p>
<ul>
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
<li><code>request.auth</code> will be a <code>djangorestframework.models.BasicToken</code> instance.</li>
<p>This policy uses the <ahref="http://oauth.net/2/">OAuth 2.0</a> protocol to authenticate requests. OAuth is appropriate for server-server setups, such as when you want to allow a third-party service to access your API on a user's behalf.</p>
<p>If successfully authenticated, <code>OAuthAuthentication</code> provides the following credentials.</p>
<ul>
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
<li><code>request.auth</code> will be a <code>djangorestframework.models.OAuthToken</code> instance.</li>
<p>This policy uses Django's default session backend for authentication. Session authentication is appropriate for AJAX clients that are running in the same session context as your website.</p>
<p>If successfully authenticated, <code>SessionAuthentication</code> provides the following credentials.</p>
<ul>
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
<li><code>request.auth</code> will be <code>None</code>.</li>
<p>To implement a custom authentication policy, subclass <code>BaseAuthentication</code> and override the <code>authenticate(self, request)</code> method. The method should return a two-tuple of <code>(user, auth)</code> if authentication succeeds, or <code>None</code> otherwise.</p>