bloodearnest
commented
2 years ago Filling this out at bit, the plan is to currently use our API tokens as passwords, including them in the HTTP Authorization header.
This is ok for now, as were going over HTTPS, but it's not great, as we are still sending the full token in everyrequest.
It might be worth the effort to use the API token to sign each request, and verify it server side as authentication.
But that requires deciding what we should sign to make a request secure.
Would using our PATs for signing $something be of use?