📘Cisco DevNet Associate (200-901 DEVASC)
Utilize Common API Authentication Mechanisms: Basic, Custom Token, and API Keys
For the Cisco DevNet Associate (200-901 DEVASC) exam, you must understand how APIs authenticate users and applications. Authentication proves who you are before allowing access to resources.
When working with REST APIs, authentication is sent in the HTTP request, usually in the header section.
The three common authentication mechanisms you must know for the exam are:
- Basic Authentication
- API Keys
- Custom Token Authentication
1️⃣ Basic Authentication
What Is Basic Authentication?
Basic Authentication is the simplest authentication method.
It sends a username and password with every API request.
The credentials are combined and encoded using Base64 and included in the HTTP header.
How It Works
The client sends:
Authorization: Basic <Base64(username:password)>
Example format:
Authorization: Basic YWRtaW46Y2lzY28xMjM=
The server:
- Decodes the Base64 string
- Extracts the username and password
- Verifies them
- Grants or denies access
Important Exam Points
✅ Base64 is NOT encryption
Base64 is only encoding. Anyone can decode it easily.
Therefore, Basic Authentication must be used with:
HTTPS (TLS encryption)
Without HTTPS, credentials can be intercepted.
✅ Credentials Sent Every Time
With Basic Authentication:
- Username and password are sent with every request
- No session or token is created
Where It Is Used in IT
- Network device APIs (for example, router REST interfaces)
- Internal automation scripts
- Lab environments
- Simple REST services
Example:
An automation script uses Python requests library:
requests.get(url, auth=('admin','cisco123'))
Advantages
- Simple to implement
- Easy to test using tools like Postman
- No extra token management
Disadvantages
- Credentials sent repeatedly
- Less secure than token-based systems
- Not scalable for large production systems
When You See in API Documentation
Look for:
- “Basic Auth”
- “Authorization header”
- Username/password required
2️⃣ API Keys
What Is an API Key?
An API Key is a unique string generated by the server.
It identifies the client application.
Instead of username and password, the client sends:
x-api-key: 123456789abcdef
or
api_key=123456789abcdef
How It Works
- You register an application.
- The server generates an API key.
- You include the key in each request.
- The server checks the key and allows access.
Where API Keys Are Sent
API keys may be included in:
- HTTP Header (most common)
- Query parameter
- Request body
Header example:
GET /devices
x-api-key: abc123xyz789
Important Exam Points
✅ API Key Identifies the Application
It usually identifies:
- The app
- The developer account
- The calling system
It does NOT always identify a specific user.
✅ Rate Limiting
API keys are commonly used for:
- Tracking usage
- Applying rate limits
- Logging API calls
Example:
If an application sends too many requests, the server may return:
429 Too Many Requests
✅ Should Be Protected
Even though it’s not a password:
- API keys must be kept secret
- Should not be hard-coded in public repositories
- Should be stored in environment variables
Where It Is Used in IT
- Cloud APIs
- Network management platforms
- Monitoring platforms
- SaaS services
Example:
A monitoring system calling a cloud network controller API using:
x-api-key: myCompanyMonitoringKey
Advantages
- Simple
- Good for tracking applications
- Easy to implement
Disadvantages
- If leaked, anyone can use it
- Usually does not represent user identity
- Limited fine-grained control compared to OAuth
In API Documentation You Might See
- “API Key Required”
- “x-api-key header”
- “Include your API key in requests”
3️⃣ Custom Token Authentication
What Is Custom Token Authentication?
Custom token authentication uses a token generated after login.
Instead of sending username and password each time:
- Client authenticates once.
- Server returns a token.
- Client uses the token for future requests.
How It Works
Step 1 – Login Request
POST /login
{
"username": "admin",
"password": "cisco123"
}
Step 2 – Server Response
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Step 3 – Use Token in Future Requests
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Important Exam Points
✅ Token Sent in Header
Most common format:
Authorization: Bearer <token>
✅ Token Expiration
Tokens often:
- Expire after some time
- Must be refreshed
- Improve security
✅ Stateless Authentication
With tokens:
- Server does not store session
- Each request contains authentication data
Common Token Types
You may see:
- Bearer tokens
- JWT (JSON Web Token)
JWT contains:
- Header
- Payload
- Signature
Where It Is Used in IT
- Network controllers
- Cloud dashboards
- Automation platforms
- REST-based infrastructure APIs
Example:
An automation tool logs into a network controller once, receives a token, and uses it for multiple API calls.
Advantages
- More secure than Basic Auth
- Password not repeatedly sent
- Supports expiration
- Scalable
Disadvantages
- Slightly more complex
- Token management required
- Expiration handling needed
Comparison Table (Important for Exam)
| Feature | Basic Auth | API Key | Custom Token |
|---|---|---|---|
| Uses Username/Password | Yes | No | Only during login |
| Sent Every Request | Yes | Yes | Token only |
| Needs HTTPS | Yes | Yes | Yes |
| Identifies User | Yes | Usually App | Yes |
| Supports Expiration | No | Rare | Yes |
| Scalable | Low | Medium | High |
Security Best Practices (Exam Important)
You must know:
- Always use HTTPS
- Never store credentials in plain text
- Use environment variables for API keys
- Rotate API keys regularly
- Implement token expiration
- Use least privilege access
HTTP Status Codes Related to Authentication
Be familiar with:
401 Unauthorized
Authentication required or invalid credentials.
403 Forbidden
Authenticated, but no permission.
429 Too Many Requests
Rate limit exceeded (common with API keys).
Tools You Should Be Comfortable With
For DEVASC exam:
- Postman
- curl
- Python
requests - Reading API documentation
- Understanding HTTP headers
How Exam Questions May Appear
You may be asked to:
- Identify the correct header for Basic Authentication
- Determine where to place an API key
- Understand why a 401 error occurs
- Recognize Bearer token format
- Choose the most secure method for scalable systems
Quick Memory Tips for Exam
- Basic = username + password every time
- API Key = identify application
- Token = login once, use token afterward
- Bearer token goes in Authorization header
- Always use HTTPS
Final Summary
For the Cisco DevNet Associate (200-901 DEVASC) exam, you must understand:
- How Basic Authentication works
- How API Keys work
- How Custom Token Authentication works
- Where authentication data is placed in HTTP requests
- Security implications of each method
- When each method is appropriate
- Related HTTP status codes
If you clearly understand these three authentication mechanisms, their headers, behavior, and security differences, you are fully prepared for this section of the exam.
