As is the case with most APIs, Chef API is authenticated before the request is processed, and the result is transmitted back to the client. The authorization of the request is done by the Chef server. A few HTTP headers are signed by the private key on the client machine, and the Chef server verifies the signature by using the public key. Only once the request has been authorized, can processing take place.

Generally, when using utilities such as Knife and so on, we don't have to be really concerned about handling authorization, as this is something that is automatically taken care of by the tool. However, when using libraries such as cURL or any arbitrary Ruby code, it is necessary to include a full authentication header ...