Topics

moderated API Authorization: Bearer instead of Basic #suggestion


jay@...
 

Been writing some babysitting queries that interact with the API to get members and database rows.

While the API docs clearly say HTTP Basic Auth when using the token style of authentication, it never explains that the token goes in the username name field and nothing goes in the password field. Took some trial and error to figure that one out.

But why useĀ Authorization: Basic when you are already set up for Authorization: Bearer?

So, we have a JWT that is already Base64 encoded (and signed). Without any modification, that token can be added to the request header as:
Authorization: Bearer <token>
Instead, we have to package the JWT up again and pass it as follows:
Authorization: Basic Base64.encode(<token> + ":")
Just wondering why the slightly unique approach over the more conventional (and less confusing) approach?

And, I can't really divine if the future is a cookie-only API, or if tokens will also be part of that future.

Thank you for the API, btw.