Hacker News new | ask | show | jobs
by knodi123 875 days ago
> You can read this website (i.e. make queries against its database) without logging in

Yeah, but the sentence I replied to was "nobody signed up for an API key in order to make posts". That claim was false. Being able to read the website is a totally different topic.
1 comments
AnthonyMouse 875 days ago
> That claim was false.

It was not. A login cookie isn't an API key. It serves a different purpose, which you can observe on the services that do have an API key and then separately require some other credentials to make posts as a particular user account.

Here's a good way to distinguish them. If I want to make my own app (in this context a web browser), do I have to maintain some intermediary servers that the app makes requests through in order to keep my, the app developer's, API key a secret from the users who are using the app? No, the user only needs their own user account, and only for the things that require a user account, and the service expects for each user to have their own account, rather than each app.

link
knodi123 875 days ago
> It was not. A login cookie isn't an API key.

It was. Google "what is an api key", and the first result is

> An application programming interface (API) key is a code used to identify an application or user and is used for authentication in computer applications.

Yes, as you argue, it is indeed used to indentify multi-user applications. It is also used to identify users. It is not as narrow as you thought. Learning something new is a good thing! I'll be abandoning this thread now. If you need to get the last word, go ahead. If you need a victory, then fine- I was wrong all along, you win.

link
AnthonyMouse 875 days ago
Google "is a cookie an API key" and the first result is this:

https://news.ycombinator.com/item?id=39094541

Which says:

> A login cookie isn't an API key.

If the first result is authoritative then I guess that sorts it.

But your link was from this site:

https://www.fortinet.com/resources/cyberglossary/api-key

Which is confusing because it also says:

> API keys cannot be used for secure authorization because they are not as secure as authentication tokens. Instead, they identify an application or project that calls an API.

> API keys are generated by the project making a call but cannot be used to identify who created the project.

> API keys are used to identity projects, not the individual users that access a project.

Which certainly implies that API keys identify applications or projects. But it's not that confusing because when the first definition says "user" what it means in context is the application developer.

Using the same definition out of context would lead you to believe that, for example, your browser's user agent string is an API key. It's a code (i.e. symbols) that identifies an application or user (browser fingerprinting) and is used for authentication in computer applications (some sites may require you to authenticate again if your browser fingerprint changes too much). So clearly that definition is too broad without context. If you allow a loose enough definition of "code" it would make your screen resolution an API key because it can be used for fingerprinting in the same way.

link
knodi123 874 days ago
> Which says:

> A login cookie isn't an API key.

You.... googled your own comment, and cited it as evidence that my google result was wrong?

I guess I'm done here.

link
AnthonyMouse 874 days ago
It was the first result. Either that means it's right, and then there we are, or it means being the first result is no guarantee, and then what does that say about yours?
link