AI Agents
Module 06Lesson 5

Lesson 5. Authorization — How Services Recognize "Their Own"

Hands-on: Zapier

Lesson 5. Authorization — How Services Recognize "Their Own"#

Why This Matters#

Authorization is a way to prove you have the right to access a service. Without authorization, anyone could read your data.

Key Idea#

Authorization = "pass" for API access

To get past the service, you need to show a key, token, or login-password.

Types of Authorization#

1. API Key

What it is: a unique string you copy from the service and paste into the integration

Example:

API Key: sk_test_abcdef123456xyz

Where used:

Google Sheets, OpenAI, Stripe

How to get it:

  1. Go to service settings (e.g., Google Cloud Console)

  2. Create an API key

  3. Copy the key

  4. Paste it into the integration settings

Important: don't share your API key — it's like a bank card password

2. Bearer Token

What it is: a temporary "pass" issued after login

Example:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Where used:

Modern APIs (e.g., Zapier, Telegram Bot API)

How to get it:

  1. Log in to the service

  2. Generate a token in settings

  3. Copy and use in requests

3. OAuth 2.0 (authorization via third-party service)

What it is: when you allow one service to access another

Example:

"Allow Zapier access to your Google Drive"

How it works:

  1. You click "Connect Google Drive"

  2. Google asks: "Allow access?"

  3. You confirm

  4. Google issues a token to Zapier

  5. Zapier can now read your files (within the granted permissions)

Where used:

All no-code platforms (Zapier, Make, n8n)

What Authorization Looks Like in a Request#

Example API request with Bearer Token:


POST https://api.service.com/clients

Authorization: Bearer abc123xyz456

Content-Type: application/json



{

  "name": "Ivan",

  "phone": "+7-999-111-22-33"

}

Breakdown:

  • POST — request type (send data)

  • https://api.service.com/clients — API address

  • Authorization: Bearer abc123xyz456 — access token

  • Content-Type: application/json — data format (JSON)

  • {"name": "Ivan", ...} — data

What to Know#

  • Without authorization, the API won't let you in

  • Keys and tokens are confidential — don't publish them

  • No-code platforms usually handle authorization automatically (OAuth)