Hacker News new | past | comments | ask | show | jobs | submit login

> JWT is crazy annoying compared to "pass an API key" in the header.

An API key and a JSON WEB TOKEN have a completely different purpose. API keys don't solve authorization.

A single JWT provider can authorize many different servers.

Furthermore Go already have several good JWT libraries.




And JWT's don't solve authentication which was the actual problem people were looking to solve. For a prototyping server authn==authz is more than fine.


> And JWT's don't solve authentication which was the actual problem people were looking to solve. For a prototyping server authn==authz is more than fine.

Re-read the OP

> Unfortunately, to do anything complicated, you will need to write server-side queries that verify that the user is allowed to do what they are trying to do.

this is authorization, not authentication. Your assertion is false at first place.

Your comment makes no sense by the way. You'd have the exact same issue with another authorization scheme, the credentials need to come from somewhere.

There no such thing as "prototyping servers" in the wild. Only blatantly unsecure open source servers.


For demo application, there maybe only one user




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: