[ARIN-consult] Consultation on API Key Handling

Jo Rhett geek at jorhett.com
Thu Aug 8 19:48:09 EDT 2024


> Unless ARIN intends to release and maintain high-quality client software libraries in each of the top 20 programming languages,


...

> I’m working on the assumption that the implementation will be no more complex than an "Authorization: Token XXXX” HTTP header, which is a well-established pattern for API authentication. If the implementation were to be more complex than that, I’d raise an objection as well.


There's no reason to build something raw and native. There are dozens of robust, well-tested security frameworks for authentication that are implemented by every platform and language already. OAuth 2, JWT, OpenID Connect, ...

Yes, those align with (but are greater than) plaintext headers. Don't go creating a unique model unless none of the well-established, widely used frameworks won't meet the needs.

-- 
Jo Rhett



-- 
Jo Rhett

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20240808/6d128738/attachment-0001.htm>


More information about the ARIN-consult mailing list