DO Ideas 2

xAuth style API authentication.

Something similar to https://dev.twitter.com/docs/oauth/xauth

Where the username/password can be sent to the api one time and exchanged for the client_id and api_key.

This would make things a lot less painful for end users trying to consume the api through third party clients (Basin in this case).

Typing their email and password is much better than the lengthy api keys.

Of course this presents the security risk of usernames and passwords being exposed to third parties and trusting them not to store the data, so xAuth would have to approved on a case by case, app by app basis.

  • Josh Frye
  • Sep 11 2018
  • Shipped
  • Sep 11, 2018

    Admin Response

    We've shipped the new version of the API. It is now available for all customers as a beta release under the API section and documentation can be found at: https://developers.digitalocean.com With the new v2.0 API we have moved over to a fully RESTful architecture and also made OAuth the default. Customers can now create multiple access tokens to the API and specify the level of access as either READ or WRITE. With OAuth third party developers can also better leverage the API and customers can determine what level of access to grant to applications that are created by other developers. This will improve the security of the API as well as using third party applications by determining the level of trust that you want to give them. We also have a changelog up for the new API on Github along with that we are also requesting any feedback, comments, or bug reports as well: https://github.com/digitaloceancloud/api-v2 Thanks!
  • Attach files
  • Rafi Baum commented
    September 11, 2018 19:04

    Absolutely. This will make mobile apps much more convenient then copying and pasting an API key.

  • Zane Ashby commented
    September 11, 2018 19:04

    I would love to see DigitalOcean implementing some form of oAuth. My dream use-case is "one-click" server provisioning from a GitHub repository (it is currently "a-few-clicks" and some copy/paste of an api key ;)).

    Ideally an app would be able to ask for permission to boot an instance of a particular size, and the user could then choose to allow that or not.

    Just imagine the possibilities!