All Questions
Tagged with apiauthentication
128 questions
0votes
1answer
51views
When not to use Authorization Code Grant?
Why would an OAuth implementation choose to use the Authorization Code Grant -- when it means that the access tokens are leaked to a third party? I've been using API keys for a package on my server to ...
- 1,146
0votes
0answers
71views
How to assess poor OAuth security implementations?
What questions should I ask to determine if a given OAuth implementation is secure? I've been using a wordpress plugin for payments that authenticates with the payment gateway with an API key. I like ...
- 1,146
0votes
1answer
357views
Using mTLS for API access control and authentication
my question is about using mTLS for API access control and authentication. I understand in mTLS, both the server and client (making the API request) will verify each other's identity. This allows the ...
0votes
1answer
275views
How are Sentry's public key protected when the token is in front end code?
In Sentry's documentation they explain that you can use a public token to use their API; <script src="https://js.sentry-cdn.com/examplePublicKey.min.js" crossorigin="anonymous&...
2votes
1answer
476views
Should I return JWT tokens on a login route even if I am using cookies?
I have built a basic REST API that uses Json Web Tokens for authentication. Currently, I have built my frontend to store the JWTs in localStorage. I have read this is insecure and want to switch to ...
- 21
1vote
1answer
266views
What is the easiest way to implement a "passthrough" to let a device bypass the header requirement of an API which we both own?
For starters, I don't have any prior knowledge of implementing security/authentication on backends and frontends because of various reasons. So please forgive my ignorance. So I implemented JWT token ...
- 111
5votes
1answer
337views
Protection of API from abuse (signup and carding attacks)
I have a backend (API) and mobile apps. Mobile apps user use same client_id (Oauth2). Now I see many Bots signing up, adding credit card for checking them (carding) I cannot throttle, limit them since ...
- 1,007
1vote
1answer
193views
Is it possible to authenticate a device with a server without the device knowing any sort of secret?
Pretty much what the title says. I have been playing around with discord webhooks lately and one problem I have discovered is that anyone with the webhook url/token can send messages. This means that ...
- 13
3votes
1answer
5kviews
Is it safe to send an API key in an HTTPS request? [duplicate]
Q: Is it 'safe' to include a secret API Key in a HEADER (for a request) which prevents bad actors from creating their own evil-requests by using your API Key ? We need to send data to a 3rd party from ...
- 133
1vote
1answer
1kviews
Authentication using JWT signature, without header and payload
I am evaluating JWT as authentication mechanism for an API. The idea is to use JWT as API key. One thing I want to implement is revoking API keys. Since revoking involves a state change in my backend, ...
- 113
0votes
0answers
77views
Authenticate requests from landingpage to API passing through proxy
Imagine the scenario where you have a client who wants you to implement calls to an external API on a landingpage that you've setup for them. The external API works based on a contract and API keys ...
- 151
1vote
0answers
2kviews
Why "application/x-www-form-urlencoded" is normally used for login but not for registration?
I may be wrong, but for security reasons, in REST APIs the login credentials are always sent with the content type application/x-www-form-urlencoded. But I haven't seen the same with user registration;...
0votes
0answers
350views
OpenID Connect for authenticating a web-api
I want to accomplish the following: Having a web application or mobile app authenticating users using openid connect. Having a REST Api authenticated using openid connect using the same user as for ...
1vote
1answer
286views
Do sites like reddit and Quora expose their Google API client keys to the public?
On Quora, when I want to sign in using Google, I am redirected to this URL, which has a parameter client_id=917071888555.apps.googleusercontent.com. Similarly, reddit takes me here, which has ...
2votes
1answer
1kviews
Creating secure website-based login for a desktop app
This question relates to this post I made on StackOverflow recently, which I'll recap here briefly. I have a desktop app that I would like to authenticate through a website, using the process outlined ...
- 123
