(www.seangoedecke.com)

428 points ahamez | 1 comments | 24 Aug 25 19:10 UTC | HN request time: 0s | source

Show context

cyberax ◴[24 Aug 25 21:29 UTC] No.45007982[source]▶

>>45006801 (OP) #

> You should let people use your APIs with a long-lived API key.

Sigh... I wish this were not true. It's a shame that no alternatives have emerged so far.

replies(2): >>45008330 #>>45008372 #

pixelatedindex ◴[24 Aug 25 22:27 UTC] No.45008372[source]▶

>>45007982 #

To add on, are they talking about access tokens or refresh tokens? It can’t be just one token, because then when it expires you have to update it manually from a portal or go through the same auth process, neither of which is good.

And what time frame is “long-lived”? IME access tokens almost always have a lifetime of one week and refresh tokens anywhere from 6 months to a year.

replies(3): >>45008399 #>>45008522 #>>45008655 #

1. rahkiin ◴[24 Aug 25 22:30 UTC] No.45008399[source]▶

>>45008372 #

Inthink they are talking about refresh token or Api Keys like PATs. Some value you pass in a header and it just works. No token flow. And the key is valid for months and can be revoked

↑

Everything I know about good API design