difference in using authorization header vs api_key query parameter.

Axuda de The Movie Database

Publicado por Racusthor
STAFFMOD
o 11 de febreiro do 2025 ás 4:54PM

When using the authorization header, a call to https://api.themoviedb.org/3/account works (falls back to default id?).
however, a call to https://api.themoviedb.org/3/account?api_key=*** (without authorization header) doesn't work.

Is this by design? any other differences in using the header instead of query parameter?

2 respostas (na páxina 1 de 1)

Resposta de Racusthor

STAFFMOD

no 2 de marzo do 2025 ás 7:17AM

does anyone know?

Resposta de Victor Franco

STAFFMOD

no 2 de marzo do 2025 ás 12:30PM

Yes, this is intentional. The MovieDB API has different authentication levels:

1. Using the api_key in the URL
The api_key works for public requests, such as fetching movies or general information.
It does not work for requests that require user authentication.

2. Using the Authorization Header (Authorization: Bearer <token>)
Required for authenticated requests, like retrieving user-specific data (e.g., /account).
The API expects a user authentication token rather than just an API key.

3. Why does /account require authentication in the header?
The /account endpoint returns user-specific data.
An api_key alone is not enough because it does not identify a specific user.
Instead, the API requires an OAuth 2.0 Access Token.

How to fix it?

The user must generate an OAuth 2.0 Access Token and include it in the request header:

Authorization: Bearer <your_access_token>

This ensures the API knows which user account is making the request.

Usuarios neste debate

Categorías

Axuda de The Movie Database