←back to thread

Everything I know about good API design

(www.seangoedecke.com)
428 points ahamez | 2 comments | 24 Aug 25 19:10 UTC | HN request time: 0.578s | source
Show context
cyberax ◴[24 Aug 25 21:29 UTC] No.45007982[source]
> You should let people use your APIs with a long-lived API key.

Sigh... I wish this were not true. It's a shame that no alternatives have emerged so far.

replies(2): >>45008330 #>>45008372 #
TrueDuality ◴[24 Aug 25 22:23 UTC] No.45008330[source]
There are other options that allow long-lived access with naturally rotating keys without OAuth and only a tiny amount of complexity increase that can be managed by a bash script. The refresh token/bearer token combo is pretty powerful and has MUCH stronger security properties than a bare API key.
replies(3): >>45008408 #>>45008647 #>>45009708 #
1. maxwellg ◴[24 Aug 25 23:09 UTC] No.45008647[source]
Refresh tokens are only really required if a client is accessing an API on behalf of a user. The refresh token tracks the specific user grant, and there needs to be one refresh token per user of the client.

If a client is accessing an API on behalf of itself (which is a more natural fit for an API Key replacement) then we can use client_credentials with either client secret authentication or JWT bearer authentication instead.

replies(1): >>45009202 #
2. TrueDuality ◴[25 Aug 25 00:54 UTC] No.45009202[source]
That is a very specific form of refresh token but not the only model. You can just easily have your "API key" be that refresh token. You submit it to an authentication endpoint, get back a new refresh token and a bearer token, and invalidate the previous bearer token if it was still valid. The bearer token will naturally expire and if you're still using it, just use the refresh immediately, if its days or weeks later you can use it then.

There doesn't need to be any OIDC or third party involved to get all the benefits of them. The keys can't be used by multiple simultaneous clients, they naturally expire and rotate over time, and you can easily audit their use (primarily due to the last two principles).