←back to thread

Everything I know about good API design

(www.seangoedecke.com)
428 points ahamez | 2 comments | 24 Aug 25 19:10 UTC | HN request time: 0s | source
Show context
cyberax ◴[24 Aug 25 21:29 UTC] No.45007982[source]
> You should let people use your APIs with a long-lived API key.

Sigh... I wish this were not true. It's a shame that no alternatives have emerged so far.

replies(2): >>45008330 #>>45008372 #
TrueDuality ◴[24 Aug 25 22:23 UTC] No.45008330[source]
There are other options that allow long-lived access with naturally rotating keys without OAuth and only a tiny amount of complexity increase that can be managed by a bash script. The refresh token/bearer token combo is pretty powerful and has MUCH stronger security properties than a bare API key.
replies(3): >>45008408 #>>45008647 #>>45009708 #
1. rahkiin ◴[24 Aug 25 22:31 UTC] No.45008408[source]
If api keys do not need to ve stateless, every api key can become a refresh token with a full permission and validity lookup.
replies(1): >>45009591 #
2. marcosdumay ◴[25 Aug 25 02:17 UTC] No.45009591[source]
This.

The separation of a refresh cycle is an optimization done for scale. You don't need to do it if you don't need the scale. (And you need a really huge scale to hit that need.)