API Authentication Model
So I’m in the process of modeling a few applications that will include a fairly rich set of APIs and I had some time to spend really thinking through how I want to design the authentication model. After thinking about it for a while, I decided that, well, I can’t decide. As a result, I thought I’d call on any collective wisdom I can gather and see what others are doing and, perhaps more importantly, why.
First, let me state that these applications are not DoD(Department of Defense)-grade applications. We need something stronger than security through obscurity and something (significantly) less than national security cryptography.