Reputation: 23
Can I send access token using GET method?
I'm building RESTful API, but I have some question while implementing /valid
endpoint.
/valid endpoint checks token expiration.
Is GET method good choice for this endpoint?
Is there any problem with sending token using GET method? (like http://some.api/valid?access_token=ACCESS.TOKEN.STRING )
Upvotes: 0
Views: 1420
Answers (1)
Reputation: 4630
If you use GET, your server log will be full of access tokens. This may be a security issue to consider.
What you're doing is essentially RPC, passing a parameter (access token) into a function (validate).
To do it using REST, you could consider the resource as the access token. As you have it, it's already been created (POST) so you would want to interact with it in some way. PUT updates a resource but you're not updating but you're not using REST either so it doesn't really matter. You could use POST but as I said, the resource (access token) has already been created.
So to get as close as possible to REST, you could:
PUT /accesstoken/validate
body: ACCESS.TOKEN.STRING
and get a suitable response. It also allows the server to track whether the access token has ever been validated, if that's of relevance. As it's RPC, it means the server could do other things that may update the resource in some way. i.e. number of times it's been validated and the ip address it was validated from, increasing security perhaps.
Upvotes: 1
Related Questions
- Send GET request with token using Java HttpUrlConnection
- Is it safe to put a jwt into the url as a query parameter of a GET request?
- Can I use GET api when passing authentication token
- Sending JWT token with browser get requests
- Is it safe to put a Jwt in a https get request?
- How can I get authorization token in rest API using rest assured? Is it possible?
- Specify OAuth token in GET URL
- Get access to REST API using JWT security token
- Using GET method in RESTful API where authentication is required
- oauth2.0 how to pass access token