All Questions
21 questions
0votes
1answer
275views
How are Sentry's public key protected when the token is in front end code?
In Sentry's documentation they explain that you can use a public token to use their API; <script src="https://js.sentry-cdn.com/examplePublicKey.min.js" crossorigin="anonymous&...
1vote
1answer
1kviews
Authentication using JWT signature, without header and payload
I am evaluating JWT as authentication mechanism for an API. The idea is to use JWT as API key. One thing I want to implement is revoking API keys. Since revoking involves a state change in my backend, ...
- 113
2votes
0answers
792views
API keys or Client Credentials flow? Good practice to control application access to a deployed web component
Company A developed a widget (Web Component) deployed on several clients/partners. Only clients/partners must be authorized to use the widget. No need to distinguish between each end users (clients' ...
- 431
2votes
2answers
6kviews
How to securely store and use session IDs
I'm not sure what's the option to store and manage session IDs for long lived sessions (3-6 months each). Given that the session ID is generated with enough entropy and that the session ID is then ...
0votes
1answer
2kviews
What are the industry guidelines on sharing secrets like API or access token?
I'm currently looking for guidelines on sharing API tokens or Access tokens securely, for integrating a third-party application with my own. The two methods I'm currently thinking of are: PGP: I could ...
- 101
2votes
0answers
139views
Issuing Personal Access Tokens for my APIs
I have an intranet site, hosted locally within my organisation. The same site also exposes some data through various web services. It's written using ASP.NET MVC 5 and WebAPI 2. At the moment users ...
3votes
1answer
3kviews
How to prevent refreshing a stolen access token
The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time. The setup: There is a client, application server and ...
- 31
14votes
2answers
17kviews
How to allow users to connect from multiple devices with refresh tokens?
This question follows my previous one: How to securely keep my users signed in with refresh tokens? What I got from this previous question, is that we need: short-lived access tokens long-lived one-...
- 193
1vote
2answers
396views
Creating my own tokens to secure communication with my API
I have an API communicating with my client, now I want to secure that API so that onlyu my client can use it. I am planning to do the following, since I have no experience in this I have gathered all ...
- 155
3votes
1answer
2kviews
Securing Authentication Tokens Stored in the Server-Side Database
I'm working on extending a web application with a RESTful HTTP-based API. We decided to require the client to supply an authentication token in each request (instead of using sessions or other multi-...
- 133
1vote
0answers
1kviews
Storing password or access token in standalone Java app
I have a simple Java app that use Eclipse JGit to pull remote repositories into the app to analyze and provide the user with code metric details on their projects. This app is supposed to be able to ...
1vote
2answers
456views
Is this a good enough approach to securing a RESTful API?
I want to use token-based authentication where the user would log in with a username/password combination. The server would make sure the username and password match and then return a token which ...
- 113
5votes
1answer
3kviews
Sending non-expiring access token on each request vs using refresh tokens?
When securing REST APIs for mobile applications, what you often see is the use of refresh tokens. They exist because: Access Tokens have expiration date. We don't want the user to have to enter his ...
- 151
4votes
1answer
298views
Best practices for relatively simple API for our clients
I've been reading a lot about many API security considerations, the differences in terminology, OAUTH, OpenID, etc. Although I understand their absolute necessity when it comes to securing an API ...
- 41
8votes
1answer
5kviews
Simple, Secure PHP API Design
I'm trying to design a secure RESTful API web service with as few moving parts as possible. I have some questions, and want to make sure my design is secure. For the data transmission level of ...
