Enhance API endpoint security with stronger authentication

[bdowling]

Seek to implement a stronger API authentication mechanism, such as HMAC signed API requests or Certificate based client authentication.

[Furb13]

+1 for additional security. In addition to the above, also consider IP whitelisting.

[garyha]

Speaking of security, can someone explain why our secret key is sent in requests? Aren't secret and public key pairs intended for encryption? Doesn't sharing a secret key defeat the purpose of encryption? A secret key is called secret for a reason, it is supposed to be kept secret, shared with no one.

Another point on security: No server should ever store a password under any circumstances whatsoever, only instead a hash of it. If you are storing any website login passwords, please switch to hash instead.

[umitanuki]

@garyha API secret key is secret because it's known to only you. Alpaca never stores it after generates it. You need to send something that identifies you for us to authenticate you as you, which is the API key and secret. Sending it under HTTPS is generally considered secure.

Alpaca never stores your password in a raw format. I don't know where you heard so but we never stored it in raw format since the beginning of service.

[Furb13]

@garyha to add to what @umitanuki from you comment around a secret key, this is typically in PKI infrastructure. This is commonly used in TLS (commonly HTTPS) communications over the public internet and in these cases, the secret or private key should never be shared or sent. https://www.securew2.com/blog/public-key-infrastructure-explained/

From an API perspective, sending the secret with each request is considered a reasonable practice as long as it is sent over a secure protocol (HTTPS). Basically the secret is the password just like you would send in an interactive web login to identify you.

Hope that helps, if you have any other questions feel free to fire them over :)