difference in using authorization header vs api_key query parameter.

Soporte de The Movie Database

publicado por Racusthor
STAFFMOD
el 11 de febrero de 2025 a las 16:54

When using the authorization header, a call to https://api.themoviedb.org/3/account works (falls back to default id?).
however, a call to https://api.themoviedb.org/3/account?api_key=*** (without authorization header) doesn't work.

Is this by design? any other differences in using the header instead of query parameter?

2 respuestas (en la página 1 de 1)

Contestado por Racusthor

STAFFMOD

el 2 de marzo de 2025 a las 07:17

does anyone know?

Contestado por Victor Franco

STAFFMOD

el 2 de marzo de 2025 a las 12:30

Yes, this is intentional. The MovieDB API has different authentication levels:

1. Using the api_key in the URL
The api_key works for public requests, such as fetching movies or general information.
It does not work for requests that require user authentication.

2. Using the Authorization Header (Authorization: Bearer <token>)
Required for authenticated requests, like retrieving user-specific data (e.g., /account).
The API expects a user authentication token rather than just an API key.

3. Why does /account require authentication in the header?
The /account endpoint returns user-specific data.
An api_key alone is not enough because it does not identify a specific user.
Instead, the API requires an OAuth 2.0 Access Token.

How to fix it?

The user must generate an OAuth 2.0 Access Token and include it in the request header:

Authorization: Bearer <your_access_token>

This ensures the API knows which user account is making the request.

Usuarios en este debate

Categorías

Soporte de The Movie Database