Hacker News new | comments | show | ask | jobs | submit login

If you lose the database for your own service, it does not matter how you authenticate to that service. Attackers have already fatally bypassed your credential system. At the same time, API credentials should by definition be single-use.



> At the same time, API credentials should by definition be single-use.

Could you spell this one out a little bit more? Do you mean only a single session should be able to use an API credential?

-----


I mean the credential should only be relevant to the service, never shared across multiple services, because the API generates it for you.

-----




Applications are open for YC Summer 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: