Application API key required

[tgerring]

Currently, the BitPremier API requires application-specific authorization keys. Because this is a JavaScript app that runs in a browser window of an open-source application, we cannot reliably hide the key.

@joshkehn if you were using the same API for the main BitPremier website, how would you secure the key from user snooping?

[joshkehn]

@tgerring We aren't using the same API for the main BitPremier website.

Because this is an open source app there are two options:

1. Have people request their own key. We can build out a developer section on our side that will manage this, but initially they can email in and request their own key.
2. We provide a key to you for public inclusion in the project's source. Obviously if there is abuse stemming from this key we'll need to revoke access.

[tgerring]

OAuth would be our preferred way of authenticating users, but we don't want to be overly cumbersome as to REQUIRE this if users just want to browse the listings.

What about keeping /category and /listing "open" for the foreseeable future (since this is public on your website anyway) and if users would like to bid, etc., we'd prompt them to do the OAuth dance?

[joshkehn]

@tgerring I'd like to avoid doing any sort of OAuth because the bid endpoint is suppose to be anonymous. I'll send you an email so we can chat a bit more about this offline.