So a refresh token on its own isn't more secure than a simple api key. You need ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		0x1ceb00da 5 months ago \| parent \| context \| favorite \| on: Everything I know about good API design So a refresh token on its own isn't more secure than a simple api key. You need a lot of plumbing and abuse detection analytics around it as well.

TrueDuality 5 months ago [–]

Almost every one of those benefits _doesn't_ require anything else. You need one more API endpoint to exchange refresh tokens for bearer token (over a simple static API key) and you get those benefits.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact