API Tokens: A Tedious Survey

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Logging Composer Repositories crash-reporting Authentication and Authorization crash-reports

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • paseto

    Platform-Agnostic Security Tokens

    • For PASETO, the quick guide to library support is https://paseto.io

  • php-jwt

    PHP package for JWT

    • > Why all the hate for JWTs?

    > Just pick a crypto scheme and the JWT is just an encoding that makes it easier to use.

    That's not what JWT is, but I can understand why someone would be misled into believing that.

    JWT isn't just an encoding format, it also includes a crypto algorithm negotiation protocol that lets the attacker choose the algorithm. Even if you strictly allow-list which algorithm you want to support, you can accidentally bypass this control in many libraries if you suppor the `kid` (key ID) header. [1]

    It also allows attackers to completely strip the security. [2] [3]

    Put shortly, JWT is a gun aimed directly at your foot. That's why there's so much hate for JWTs.

    [1] https://github.com/firebase/php-jwt/issues/351

    [2] https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-ba...

    [3] https://www.howmanydayssinceajwtalgnonevuln.com/

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • Sentry

    Developer-first error tracking and performance monitoring

    • I'd love to see this too, but it's hard.

    The biggest challenge is that it's hard to get service providers to change their token format. Very few have this at the top of their priority list - they're busy with other things. Here's an example playing out in OSS that is pretty typical: I tried to persuade the (excellent) team at Sentry to update their format, and they essentially told me "we have other priorities" https://github.com/getsentry/sentry/pull/26313. And that's a relatively simple changes, not the adoption of a whole standard.

    That said, there is an opportunity to sidestep that concern for service providers that already use JWTs or Macaroons. Generic tokens of this type are relatively easy to identify, and it's easy (and hopefully uncontroversial) to encode more information in them, like an "if found" link. I think a standard that defines the attribute name there, and the API for reporting / responding, would be a good start that might see adoption.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts