No, I'm just saying that an OAuth layer isn't really adding much benefit when yo... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		cyberax 4 months ago \| parent \| context \| favorite \| on: Everything I know about good API design No, I'm just saying that an OAuth layer isn't really adding much benefit when you either use an API key to obtain the refresh token or the refresh token itself becomes a long-term secret, not much better than an API key. Some way to break out of the "shared secret" model is needed. Mutual TLS is one way that is at least getting some traction.

JambalayaJimbo 4 months ago [–]

Refresh tokens aren’t necessarily long lived, you can force the client to exchange for another refresh token.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact