Most active commenters
  • cyberax(5)
  • pixelatedindex(4)

←back to thread

Everything I know about good API design

(www.seangoedecke.com)
428 points ahamez | 13 comments | 24 Aug 25 19:10 UTC | HN request time: 1.365s | source | bottom
Show context
cyberax ◴[24 Aug 25 21:29 UTC] No.45007982[source]
> You should let people use your APIs with a long-lived API key.

Sigh... I wish this were not true. It's a shame that no alternatives have emerged so far.

replies(2): >>45008330 #>>45008372 #
1. pixelatedindex ◴[24 Aug 25 22:27 UTC] No.45008372[source]
To add on, are they talking about access tokens or refresh tokens? It can’t be just one token, because then when it expires you have to update it manually from a portal or go through the same auth process, neither of which is good.

And what time frame is “long-lived”? IME access tokens almost always have a lifetime of one week and refresh tokens anywhere from 6 months to a year.

replies(3): >>45008399 #>>45008522 #>>45008655 #
2. rahkiin ◴[24 Aug 25 22:30 UTC] No.45008399[source]
Inthink they are talking about refresh token or Api Keys like PATs. Some value you pass in a header and it just works. No token flow. And the key is valid for months and can be revoked
3. cyberax ◴[24 Aug 25 22:52 UTC] No.45008522[source]
If you're using APIs from third parties, the most typical authentication method is a static key that you stick in the "Authorization" HTTP header.

OAuth flows are not at all common for server-to-server communications.

In my perfect world, I would replace API keys with certificates and use mutual TLS for authentication.

replies(3): >>45008592 #>>45009001 #>>45011031 #
4. nostrebored ◴[24 Aug 25 23:02 UTC] No.45008592[source]
In your perfect world, are you primarily the producer or consumer of the API?

I hate mTLS APIs because they often mean I need to change how my services are bundled and deployed. But to your point, if everything were mTLS I wouldn’t care.

replies(1): >>45009738 #
5. smj-edison ◴[24 Aug 25 23:10 UTC] No.45008655[source]
> Every integration with your API begins life as a simple script, and using an API key is the easiest way to get a simple script working. You want to make it as easy as possible for engineers to get started.

> ...You’re building it for a very wide cross-section of people, many of whom are not comfortable writing or reading code. If your API requires users to do anything difficult - like performing an OAuth handshake - many of those users will struggle.

Sounds like they're talking about onboarding specifically. I actually really like this idea, because I've certainly had my fair share of difficulty just trying to get the dang thing to work.

Security wise perhaps not the best, but mitigations like staging only or rate limiting seem sufficient to me.

replies(1): >>45008989 #
6. pixelatedindex ◴[25 Aug 25 00:08 UTC] No.45008989[source]
True, I have enjoyed using integrations where you can generate a token from the portal for your app to make the requests. One thing that’s difficult in this scenario is authorization - what resources does this token have access to can be kind of murky.
7. pixelatedindex ◴[25 Aug 25 00:11 UTC] No.45009001[source]
IME, OAuth flows are pretty common in S2S communication. Usually these tend to be client credential based flows where you request a token exactly like you said (static key in Authorization), rather than authorized grant flows which requires a login action.
replies(1): >>45009390 #
8. cyberax ◴[25 Aug 25 01:33 UTC] No.45009390{3}[source]
Yeah, but then there's not that much difference, is there? You can technically move the generation of the access tokens to a separate secure environment, but this drastically increases the complexity and introduces a lot of interesting failure scenarios.
replies(1): >>45009622 #
9. pixelatedindex ◴[25 Aug 25 02:26 UTC] No.45009622{4}[source]
I mean… is adding an OAuth layer in 2025 adding that much complexity? If you’re scripting then there’s usually some package native to the language, if you’re using postman you’ll need to generate your authn URL (or do username/passwords for client ID/secret).

If you have sensitive resources they’ll be blocked behind some authz anyway. An exception I’ve seen is access to a sandbox env, those are easily generated at the press of a button.

replies(1): >>45009736 #
10. cyberax ◴[25 Aug 25 02:49 UTC] No.45009736{5}[source]
No, I'm just saying that an OAuth layer isn't really adding much benefit when you either use an API key to obtain the refresh token or the refresh token itself becomes a long-term secret, not much better than an API key.

Some way to break out of the "shared secret" model is needed. Mutual TLS is one way that is at least getting some traction.

replies(1): >>45019736 #
11. cyberax ◴[25 Aug 25 02:49 UTC] No.45009738{3}[source]
> In your perfect world, are you primarily the producer or consumer of the API?

Both, really. mTLS deployment is the sticking point, but it's slowly getting better. AWS load balancers now support it, they terminate the TLS connection, validate the certificate, and stick it into an HTTP header. Google Cloud Platform and CloudFlare also support it.

12. zzo38computer ◴[25 Aug 25 06:52 UTC] No.45011031[source]
I would also use mutual TLS; in addition to improved security (on both sides), it also allows for many additional possibilities, such as partial delegation of authorization, etc. (If not everyone wants it, it can be made an option rather than mandatory.)
13. JambalayaJimbo ◴[25 Aug 25 22:12 UTC] No.45019736{6}[source]
Refresh tokens aren’t necessarily long lived, you can force the client to exchange for another refresh token.