Ask HN: What's the Right Answer for API Authentication over HTTPS?

[colevscode]

I've found a few good articles but they seem to disagree with regard to how many layers of security are required. Looking at other popular APIs doesn't offer much clarity. Twilio uses basic auth + HTTPS, Twitter uses OAUTH, AWS uses HMAC.. WTF?

Specifically if I'm using HTTPS, can I get by with a simple secret key sent with each request? I'm trying to balance ease of use with security. I don't want to require the API user to sign the payload/query using their private key if I can avoid it.

[Aqua_Geek]

GitHub uses basic auth + HTTPS, but recommends OAUTH so that users:

1. Don't have to give their password to third party services

2. Can limit what kind of access the third party has (public vs private repos, for example)

3. Can reject a specific app's access without affecting that of others

[colevscode]

Here are a few of the articles I've found:

http://www.thebuzzmedia.com/designing-a-secure-rest-api-with... Complete, easy to understand article that outlines the HMAC approach but suggests that things can be much simpler if HTTPS is employed.

http://broadcast.oreilly.com/2009/12/principles-for-standard... Claims that you should use HTTPS and sign your queries using a private key. This seems onerous for the API user.

[jgavris]

i don't see any reason to 'sign' a request over HTTPS if you're going to implement authentication.

hmac / signing makes sense if you can't afford the overhead of SSL, and don't mind exposing the request to a man in the middle / eavesdropper.