Hacker News new | past | comments | ask | show | jobs | submit login

Use an expiring token like mechanism.

The API user first gets a token using credentials. Future requests use the token for authentication.

A new token will be required periodically.




What are the benefits of doing this instead of just requiring authentication with every request?

Is it because the authentication part is a lot of work for the server or client?

Is it for the negligible (in this context) security benefits of not using the same secret-key for all traffic?


The hashing for the authentication is intentionally computationally slow (thus mitigating brute force validation). The token issued is basically like a session id - validating a session id is really just like string compare, so it's much much fast.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: