|
|
|
|
|
|
by cxr
838 days ago
|
|
|
> I've continued to think about that since how different is it really to have the "secret" be in the URL vs in a token you submit as part of the request for the URL Extremely different. The former depends on the existence of a contract about URL privacy (not to mention third parties actually adhering to it) when no such contract exists. Any design for an auth/auth mechanism that depends on private links is inherently broken. The very phrase "private link" is an oxymoron. > I am not sure why you think that having an obscure URI format will somehow give you a secure call (whatever that means). Identifiers are public information. <https://roy.gbiv.com/untangled/2008/rest-apis-must-be-hypert...> |
|
|