umm... it's called HTTP-AUTH, and if you really want to be cool, use an
X.509 client cert for authorization (see geoserver as an example that
works very cleanly -
http://docs.geoserver.org/latest/en/user/security/tutorials/cert/index.html;
the freebxml registry-repository also uses X.509 based authentication in
a reasonably clean manner)
Robert Sanderson wrote:
To be (more) controversial...
If it's okay to require headers, why can't API keys go in a header rather
than the URL.
Then it's just the same as content negotiation, it seems to me. You send a
header and get a different response from the same URI.
Rob
On Mon, Dec 2, 2013 at 10:57 AM, Edward Summers <[email protected]> wrote:
On Dec 3, 2013, at 4:18 AM, Ross Singer <[email protected]> wrote:
I'm not going to defend API keys, but not all APIs are open or free. You
need to have *some* way to track usage.
A key (haha) thing that keys also provide is an opportunity to have a
conversation with the user of your api: who are they, how could you get in
touch with them, what are they doing with the API, what would they like to
do with the API, what doesn’t work? These questions are difficult to ask if
they are just a IP address in your access log.
//Ed
