Where would be the best place to put the captcha token in a REST API

Question

I'm designing a REST api that allow client side to POST (create) a resource. Let's call my resource is Subscription and my REST api accepts a Dto called Subscription The POST request needs to be sent together with a captcha token that will be verified on server side.

My question is where would be the best place to put the captcha token, there're some options that I'm thinking about:

1. Directly inside Subscription
2. As a parameter in URL, e.g: /subscriptions?captcha_token=abcd1234
3. As a HTTP header
4. Create a new Dto that wraps Subscription and carry field captchaToken

Any other suggestion are welcome.

Thank you.

Answer 1

For anything authentication or authorization related I typically rely on headers or querystring parameters.

Generally I don't like to commingle payload with auth-related material, nor do I like to encapsulate it.

Having it in an HTTP header or as a querystring parameter gives you a good amount of isolation there. Also since it's independent of the request body you can implement broader auth controls for every API call without being dependent on the presence of a request body (important for GET requests which shouldn't carry a request body anyway).