Reputation: 1154
Is accepting auth tokens as parameters secure?
I am creating a stock-trading app which uses Alpaca API. I don't want to store the user's username/pass or API key/secret, as to avoid the security concern of storing such valuable credentials in my own hosted DB.
My thought is to store the API token locally, such as encrypted in local storage or with their fingerprint, then pass it to the API call (over HTTPS) each time an operation is needed. The server-side API will use the token but store nothing.
I feel this is more secure, as the key/secret never leave the client, and only the token is passed over an encrypted channel. In the event of a data breach, it would be per-device rather than the entire DB of all credentials.
I'm very eager to hear the thoughts of the community.
Upvotes: 0
Views: 49
Answers (1)
Reputation: 41
Alpaca CTO here.
There has been a feature request in the Alpaca official issues tracker for adding OAuth for this very use case.
https://github.com/alpacahq/Alpaca-API/issues/20
This would solve the problems you mention and we are eager to add it. In the mean time, yes your method would work too. The key point here is that API key id/secret is kind of user/password, so don't store it in raw format or expose to client side.
Upvotes: 1
Related Questions
- https URL with token parameter : how secure is it?
- REST API: Simple token-based authentication - security?
- Api credentials via HTTP Auth, good idea?
- Api Token auth how to avoid man-in-the-middle
- Securing API with access token
- Using a RESTful API - Is it secure?
- Is this Security/Authentication ok for my REST API?
- Authentication security concerns
- Is passing username/password in http string safe for this API?
- Is token based authentication secure when