Comment on How to store user's access tokens/API keys without hashing them?
pe1uca@lemmy.pe1uca.dev 9 months agoI agree, the token has a lifespan of some hours so it could be generated after that amount of time, which for a ~400ms call is not that much, but I was overruled .-.
The only thing I control is the API, the client’s implementation is outside of my control (although I know is a backend service).
JakenVeina@lemm.ee 9 months ago
Okay, so you’re building an API that another server needs to auth with? If the opposing side is a server, a pre-shared PKI cert ought to work. If the opposing side is a potentially-untrustworth client application, the truth is there’s nothing that’s going to fit such a simple definition of “extra”. The back and forth it takes to establish token exchange is not “extra” is the cost you have to pay to get security.