3
3 Comments

Authentication for API

Happy new year!

I have been toying around with a project where I allow users to post data to my API when they are running CI.

I would like users to be able to sign in, get an API-key and then include this data in their requests to my API. A similar example is when using for example Codecov.

I am writing this in Rails and currently Clearance for authentication but I do not quite know how to model the authentication.

  1. How should I create the API-keys?
  2. How should I think about rotating them?
  3. Should I require some authentication step and exchanging the API-key for a JWT-token? But what is the point compared to just using the API-key for authentication on each request?
  1. 2

    You weren't the only one asking this question it seems, so I decided to write a full article to explain more about what's the best practice in security for api key authentication. It's a bit technical, but I'll throw it in here:

    API authentication with api keys

    1. 1

      Thank you for the blog post!

      I have not quite figured it out yet...

  2. 1

    I decided to use an approach closer to:
    https://www.pluralsight.com/guides/token-based-authentication-with-ruby-on-rails-5-api

    I really wish there was something like an authorization flow for Doorkeeper that would fit well for this, but I could not find it.

Trending on Indie Hackers
How I grew a side project to 100k Unique Visitors in 7 days with 0 audience 47 comments Competing with Product Hunt: a month later 33 comments Why do you hate marketing? 27 comments $15k revenues in <4 months as a solopreneur 14 comments Use Your Product 13 comments How I Launched FrontendEase 13 comments