I've been researching the different ways of granting users API access to my application & it seems there's a strong consensus that every user should be given an access token along with an access token secret.
I've looked at several prominent APIs and I still see some of them exclusively relying on API Keys to grant users access to their application.
The structure of the request to server usually looks something like this:
https://api.example.com?api-key=test-data
I did come across this article by Zapier.com which states:
Use API keys if you expect developers to build internal applications that don’t need to access more than a single user’s data.
In my case, users/developers are only going to use their API Key to access their own data. Are there any legitimate reasons why I would still want/need to generate an access token, access token secret and consumer key? Also, it seems one reason of providing the end user an access token is to prevent a malicious user from intercepting someone's API Key (or the access token secret). If this is the case, how would a user hide his access token secret if I don't provide them with an access token (only with API Key)? How would he prevent his access token secret from being read and intercepted by a malicious 3rd party?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire