(picture)

May 14, 2003

App keys

Tim Bray:

The problem is that all the URIs have to include an “appkey,” basically a ticket representing your right to use the API. The whole point of publishing a URI is that anyone can use it in any way they want, and you just can't do that the way it's set up now.
Sounds like the essentially same problem John and co. needed to solve for localhost GWS: service-authorization, without polluting the namespace. In the local GWS case, your appkey can be found stashed in the registry, but changes regularly, so knowing the key inherently authenticates you as having certain rights on the device.

But where to put the key in the message?

GWS answer: soap:header. Yuk, clunk, grunch. (Actually, it works reasonably well - the largest problem usually ends up being to find the key). But what are the alternatives? HTTP content header? (Not bad - but SOAPAction made that decision for something like the opposite reason, which makes no sense to me).