Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Apart from HTTP Basic Auth, but please don't use that.

What's wrong with basic auth with HTTPS? You can delegate authentication with OAUTH and then use OAUTH for authorization but authentication still has to be done somewhere.



> What's wrong with basic auth with HTTPS?

The only thing wrong that I can see is that it's 2017 and the browsers still don't have a good (indeed, AFAIK, any) UI for logging out.


Or for staying logged in across sessions (or not). But it should be fine for an API.


I think Twillio API still uses or used basic auth via HTTPS.


So does Stripe. There is nothing wrong with basic auth for api tokens so long as you're using HTTPS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: