Hacker News new | ask | show | jobs
by knodi123 877 days ago
> nobody signed up for an API key in order to make posts

Yes you did. When you logged in, they gave you an API key in the form of a cookie that you include with every request.

And it's run at a loss by Y Combinator, which is very, very wealthy. And even hackernews has to pay for cloudflare and mods, on top of hardware, hosting, and traffic.
1 comments
AnthonyMouse 877 days ago
> When you logged in, they gave you an API key in the form of a cookie that you include with every request.

You can read this website (i.e. make queries against its database) without logging in. Moreover, the main thing the cookie does is not some kind of rate limiting or denial of service protection, it's assigning your username to your posts so that others can't impersonate your account. Various image boards exist that even allow you to post without logging in and they seem to be fine with it.

link
knodi123 877 days ago
> You can read this website (i.e. make queries against its database) without logging in

Yeah, but the sentence I replied to was "nobody signed up for an API key in order to make posts". That claim was false. Being able to read the website is a totally different topic.

link
AnthonyMouse 877 days ago
> That claim was false.

It was not. A login cookie isn't an API key. It serves a different purpose, which you can observe on the services that do have an API key and then separately require some other credentials to make posts as a particular user account.

Here's a good way to distinguish them. If I want to make my own app (in this context a web browser), do I have to maintain some intermediary servers that the app makes requests through in order to keep my, the app developer's, API key a secret from the users who are using the app? No, the user only needs their own user account, and only for the things that require a user account, and the service expects for each user to have their own account, rather than each app.

link
knodi123 877 days ago
> It was not. A login cookie isn't an API key.

It was. Google "what is an api key", and the first result is

> An application programming interface (API) key is a code used to identify an application or user and is used for authentication in computer applications.

Yes, as you argue, it is indeed used to indentify multi-user applications. It is also used to identify users. It is not as narrow as you thought. Learning something new is a good thing! I'll be abandoning this thread now. If you need to get the last word, go ahead. If you need a victory, then fine- I was wrong all along, you win.

link
AnthonyMouse 876 days ago
Google "is a cookie an API key" and the first result is this:

https://news.ycombinator.com/item?id=39094541

Which says:

> A login cookie isn't an API key.

If the first result is authoritative then I guess that sorts it.

But your link was from this site:

https://www.fortinet.com/resources/cyberglossary/api-key

Which is confusing because it also says:

> API keys cannot be used for secure authorization because they are not as secure as authentication tokens. Instead, they identify an application or project that calls an API.

> API keys are generated by the project making a call but cannot be used to identify who created the project.

> API keys are used to identity projects, not the individual users that access a project.

Which certainly implies that API keys identify applications or projects. But it's not that confusing because when the first definition says "user" what it means in context is the application developer.

Using the same definition out of context would lead you to believe that, for example, your browser's user agent string is an API key. It's a code (i.e. symbols) that identifies an application or user (browser fingerprinting) and is used for authentication in computer applications (some sites may require you to authenticate again if your browser fingerprint changes too much). So clearly that definition is too broad without context. If you allow a loose enough definition of "code" it would make your screen resolution an API key because it can be used for fingerprinting in the same way.

link
knodi123 875 days ago
> Which says:

> A login cookie isn't an API key.

You.... googled your own comment, and cited it as evidence that my google result was wrong?

I guess I'm done here.

link
fragmede 877 days ago
There's a rate limiter that kicks in if you try to post or do other things as a logged in user too fast.
link
AnthonyMouse 877 days ago
That also applies when you're not logged in.
link