| ▲ | pixelatedindex 3 days ago | |||||||
I mean… is adding an OAuth layer in 2025 adding that much complexity? If you’re scripting then there’s usually some package native to the language, if you’re using postman you’ll need to generate your authn URL (or do username/passwords for client ID/secret). If you have sensitive resources they’ll be blocked behind some authz anyway. An exception I’ve seen is access to a sandbox env, those are easily generated at the press of a button. | ||||||||
| ▲ | cyberax 3 days ago | parent [-] | |||||||
No, I'm just saying that an OAuth layer isn't really adding much benefit when you either use an API key to obtain the refresh token or the refresh token itself becomes a long-term secret, not much better than an API key. Some way to break out of the "shared secret" model is needed. Mutual TLS is one way that is at least getting some traction. | ||||||||
| ||||||||