difference in using authorization header vs api_key query parameter.

Assistance de TMDB

Assistance → Assistance de l'API

posté par Racusthor
STAFFMOD
le 11 février 2025 à 16h54

When using the authorization header, a call to https://api.themoviedb.org/3/account works (falls back to default id?).
however, a call to https://api.themoviedb.org/3/account?api_key=*** (without authorization header) doesn't work.

Is this by design? any other differences in using the header instead of query parameter?

2 réponses (sur la page 1 sur 1)

Réponse de Racusthor

STAFFMOD

le 2 mars 2025 à 07h17

does anyone know?

Réponse de Victor Franco

STAFFMOD

le 2 mars 2025 à 12h30

Yes, this is intentional. The MovieDB API has different authentication levels:

1. Using the api_key in the URL
The api_key works for public requests, such as fetching movies or general information.
It does not work for requests that require user authentication.

2. Using the Authorization Header (Authorization: Bearer <token>)
Required for authenticated requests, like retrieving user-specific data (e.g., /account).
The API expects a user authentication token rather than just an API key.

3. Why does /account require authentication in the header?
The /account endpoint returns user-specific data.
An api_key alone is not enough because it does not identify a specific user.
Instead, the API requires an OAuth 2.0 Access Token.

How to fix it?

The user must generate an OAuth 2.0 Access Token and include it in the request header:

Authorization: Bearer <your_access_token>

This ensures the API knows which user account is making the request.

Membres de cette conversation

Catégories

Assistance de TMDB