How to accept authentication on a web API without SSL?

Question

I\'m building a web API very similar to what StackOverflow provide.

However in my case security is importance since data is private.

• I must use HTTP.

Answer 1

Nearly every public API works by passing an authentication token for each web request.

This token is usually assigned in one of two ways.

First, some other mechanism (usually logging into a website) will allow the developer to retrieve a permanent token for use in their particular application.

The other way is to provide a temporary token on request. Usually you have a webmethod in which they pass you a username / password and you return a limited use token based on if it is authenticated and authorized to perform any API actions.

After the dev has the token they then pass that as a parameter to every webmethod you expose. Your methods will first validate the token before performing the action.

As a side note the comment you made about "security is important" is obviously not true. If it was then you'd do this over SSL.

I wouldn't even consider this as "minimal" security in any context as it only provides a false belief that you have any sort of security in place. As Piskvor pointed out, anyone with even a modicum of interest could either listen in or break this in some way.