Managing a session token in a long-running application can present issues. What if the session times out? What if the session is invalidated by the server? There are many things regarding the session that we cannot control as API consumers, so if a session somehow stops working we need to write code that can request a new one and handle that. This can add a lot of complexity that I'm sure many people want to avoid. It is possible to just request a new session every time you make a request, but that is not ideal because it adds an additional request into the process and consumes some time and network resources.
Instead of requiring the session in most of the POST bodies, I propose that the API accepts the apikey as a valid form of authentication. In order to get a session in the first place, all one needs to do is provide their API key and they are given back a session. It doesn't seem like accepting the apikey would decrease security and it would make writing code that interacts with the API much simpler and less error-prone.
Still, this seems like a reasonable request (especially now that we have https for nova). But I don't foresee having time to implement it in the near future.
Managing a session token in a long-running application can present issues. What if the session times out? What if the session is invalidated by the server? There are many things regarding the session that we cannot control as API consumers, so if a session somehow stops working we need to write code that can request a new one and handle that. This can add a lot of complexity that I'm sure many people want to avoid. It is possible to just request a new session every time you make a request, but that is not ideal because it adds an additional request into the process and consumes some time and network resources.
Instead of requiring the session in most of the POST bodies, I propose that the API accepts the
apikey
as a valid form of authentication. In order to get a session in the first place, all one needs to do is provide their API key and they are given back a session. It doesn't seem like accepting theapikey
would decrease security and it would make writing code that interacts with the API much simpler and less error-prone.