[asterisk-app-dev] Removal of api_key

Corey Edwards tensai at zmonkey.org
Thu Oct 17 10:54:20 CDT 2013


On Thu, Oct 17, 2013 at 8:05 AM, David M. Lee <dlee at digium.com> wrote:
>
> On Oct 17, 2013, at 12:22 AM, Paul Belanger <paul.belanger at polybeacon.com> wrote:
>
>> Now, the reason for having it was because this was the default way
>> swagger passed credentials via HTTP.  I'm not sure why they didn't
>> simply add http://username:password@example.org support, but that is a
>> different issue (in fact I plan to open a bug upstream).
>
> There have been a few cases where an HTTP or WebSocket client library
> didn't support HTTP Basic auth. Putting the HTTP Basic auth header in
> there is not hard, but adding an ?api_key param is dead simple.

The Perl Protocol::WebSocket library does not support Basic auth and having
api_key available was a very useful feature to me. I could imagine many other
websocket libraries being the same way. Compared to basic auth, I don't
see any significant security risk.

Corey



More information about the asterisk-app-dev mailing list