One thing I hadn’t considered fully with tgt.me was how to secure the API calls.

I originally was looking at using a user API key (see the database diagram) but that would be transmitted in the clear. Thus not a very secure solution. The user could change their key if the account began to be used by unauthorized parties, but that doesn’t provide much in the way of comfort.

There could be the addition of requiring the calls to be over https. This would prevent (or at least hamper) a man in the middle attack. A downside still exists though if I ever want to have 3rd party apps use the API. The user would have to entrust the key to a 3rd party.

Another layer could be thrown on with a “secret” key that would hash the request. This would lock a call into a certain authorized app, but not eliminate the need for the user to share full access to the account with the 3rd party.

That leaves me with an OAuth implementation. This has become the standard for API integrations and who am I to buck that trend. This also gives me the opportunity to build an OAuth server so expect some new articles on that whole process as well.