July 19th, 2013
The subject of API security raises some debate. Halliday and Shaw feel that new security protocols such as OAuth have become a drag on the original excitement of consuming APIs with command line tools such as curl. However Cavage counters that security must align with the value of the API you are protecting and that HTTP basic authentication is often not sufficient. Cavage introduces HTTP Signatures which he says is better than passwords but "easier than the other [protocols]". HTTP Signatures add origin authentication, message integrity and replay resistance to HTTP requests. Developed at Joyent, HTTP Signatures has recently beensubmitted to the IETF.