Ask HN: What kind of authentication model do you use for your API service?
Ok, so I am building yet another API.
This time I wanted to go through some types of authentication implementations to see which one would be simplest for our customers to implement, and which one would be more secure.
How do you let your API users authenticate?
* Creating "Apps" in your service?
* User based Private/Public key?
* Username/Password
* oAuth?
Other ideas?
-- EDIT: Updated linebreaks in list.
11 comments
[ 3.4 ms ] story [ 30.4 ms ] threadSeems like there is a lot of talk regarding the 2nd generation of oAuth.
Do you have any insight to share regarding that?
oAuth seems to have quite a large pool of samples and classes here which I found useful; http://oauth.net/code/
Since you're running on GAE you're likely using either python or java:
Python bcrypt implementation: http://www.mindrot.org/projects/py-bcrypt/
Java bcrypt implementation: http://www.mindrot.org/projects/jBCrypt/
http://blog.apigee.com/detail/do_you_need_api_keys_api_ident...
In short: http://stackoverflow.com/questions/6767813/api-keys-vs-http-...
That sounds interesting, how would you implement that on an API level in a good way? I mean, the clients applications will most probably do automatic transactions all the time.
Are you thinking something like time-based sessions, which you have to authenticate on both ends - with a PK?
But Yes, I have to admit, for API, this may be overkill-
I also think this might be a bit overkill - maybe something for real enterprise apps... :-)
But it's a cool thought!
Thanks for sharing!