umm... it's called HTTP-AUTH, and if you really want to be cool, use an
X.509 client cert for authorization (see geoserver as an example that
works very cleanly -
http://docs.geoserver.org/latest/en/user/security/tutorials/cert/index.html;
the freebxml registry-repository also uses X.509 based authentication in
a reasonably clean manner)
Robert Sanderson wrote:
> To be (more) controversial...
>
> If it's okay to require headers, why can't API keys go in a header rather
> than the URL.
> Then it's just the same as content negotiation, it seems to me. You send a
> header and get a different response from the same URI.
>
> Rob
>
>
>
> On Mon, Dec 2, 2013 at 10:57 AM, Edward Summers <[log in to unmask]> wrote:
>
>> On Dec 3, 2013, at 4:18 AM, Ross Singer <[log in to unmask]> wrote:
>>> I'm not going to defend API keys, but not all APIs are open or free. You
>>> need to have *some* way to track usage.
>> A key (haha) thing that keys also provide is an opportunity to have a
>> conversation with the user of your api: who are they, how could you get in
>> touch with them, what are they doing with the API, what would they like to
>> do with the API, what doesn’t work? These questions are difficult to ask if
>> they are just a IP address in your access log.
>>
>> //Ed
>>
|