nerdexam
Cisco

350-401 · Question #1199

Which security feature does stateless authentication and authorization use for REST API calls?

The correct answer is A. OAuth 2 tokens. Stateless authentication and authorization for REST API calls primarily rely on OAuth 2 tokens to establish identity and grant access without maintaining server-side session state.

Submitted by carlos_mx· Mar 6, 2026

Question

Which security feature does stateless authentication and authorization use for REST API calls?

Options

  • AOAuth 2 tokens
  • BAPI keys
  • CSSL/TLS certificate encryption
  • Dcookie-based session authentication

How the community answered

(25 responses)
  • A
    92% (23)
  • B
    4% (1)
  • C
    4% (1)

Why each option

Stateless authentication and authorization for REST API calls primarily rely on OAuth 2 tokens to establish identity and grant access without maintaining server-side session state.

AOAuth 2 tokensCorrect

OAuth 2 tokens, such as bearer tokens (e.g., JWTs), are a common mechanism for stateless authentication and authorization in REST APIs. The token itself contains all necessary information to verify the client's identity and permissions, allowing the API server to validate each request independently without needing to store session state.

BAPI keys

While API keys are used for authentication, they are often simpler and less robust than OAuth 2 tokens for authorization, and can sometimes be managed in a stateful manner for rate limiting or tracking.

CSSL/TLS certificate encryption

SSL/TLS certificate encryption provides secure communication over the wire by encrypting data and verifying server identity, but it is a transport-layer security feature, not an authentication or authorization mechanism for the application layer itself.

Dcookie-based session authentication

Cookie-based session authentication is inherently stateful, as the server typically stores session information linked to the cookie, which contradicts the requirement for stateless authentication.

Concept tested: Stateless REST API authentication/authorization

Source: https://datatracker.ietf.org/doc/html/rfc6749

Topics

#OAuth 2.0#REST API security#Stateless authentication#API authorization

Community Discussion

No community discussion yet for this question.

Full 350-401 Practice