
Ask HN: API Key vs. OAUTH, which to choose? - dekhtiar
Hello everyone,
I am developping some APIs for my PhD Defense, and I&#x27;d like to implement some kind of authentication.<p>I don&#x27;t consider username&#x2F;password to be a good pratice for my use case. However, I need to choose between setting up an API Key Manager or an OAUTH Provider (I don&#x27;t want to use any existing), mainly because I want to learn how to do it ;)<p>So, here is my quick question : OAUTH seems way more complicated than a &quot;simple&quot; API Key, you have the consummer token &amp; secret &amp;&amp; Oauth token &amp; secret.
Except when you want to use another authentication service (Google, Facebook, ...) why using OAUTH, seems complicated as hell for nothing ...<p>Thanks a lot,<p>Regards
======
pwnna
It depends on what you want to do. Are you authenticating a human? Are you
authenticating a machine? OAuth and simple API keys address very different
concerns.

Generally Oauth is for authenticating to a 3rd party service/client that you
are this account on this service. An API key is authenticating you via your
client on this service. API keys are just like passwords. Only the user should
know it, whereas OAuth tokens can be safely given to 3rd parties.

------
smt88
Stormpath and (I think) AWS API Gateway can give you out-of-the-box OAuth2.
Start there.

Username/password is not mutually exclusive to API key and OAuth. Also, API
key is also not mutually exclusive to OAuth. All of these things can be
intermixed for different purposes. In some cases, API keys are only used to
identify the client, and not for any type of security.

> _mainly because I want to learn how to do it_

Don't do this unless the security isn't important for this project. Writing
secure code is really hard. You don't write an SSH library every time you need
SSH, do you?

I can also tell from your question that you don't have even the most basic
understanding of web app security (saying that OAuth is complicated for
"nothing").

------
artpepper
This may be pedantic but OAuth is an authorization protocol, not an
authentication protocol.

