Interesting case. So this was implemented for long-lived API tokens (order of months)? This must have been a very detailed design process for such an architecture, haven't been?
I believe you had scalability challenges to tackle! Just curious: standard OAuth with rotating refresh tokens was not feasible?
Was the ratio between active long-lived API tokens (many) and invalidated ones (few) one of the deciding factors?
30+ years of tech, retired from an identity intelligence company, now part-time with an insurance broker.
Dev community mod - mostly light gardening & weeding out spam :)
Yes, we looked at the risk of accepting tokens over different timescales, and concluded that only API keys were a material risk to us (use outside of contract, reputation loss), most of the risk of shorter term token misuse was carried by our customers as it would be their account that got billed if they leaked a token. I should note that the majority of our customers (80%+) used our API integration, not the browser-based UI (for which we had standard OAuth with rotating session tokens and refresh tokens with lifetimes on the order of a few days).
At the time I retired, we were handling ~1billion API calls a day globally.
Interesting case. So this was implemented for long-lived API tokens (order of months)? This must have been a very detailed design process for such an architecture, haven't been?
I believe you had scalability challenges to tackle! Just curious: standard OAuth with rotating refresh tokens was not feasible?
Was the ratio between active long-lived API tokens (many) and invalidated ones (few) one of the deciding factors?
Yes, we looked at the risk of accepting tokens over different timescales, and concluded that only API keys were a material risk to us (use outside of contract, reputation loss), most of the risk of shorter term token misuse was carried by our customers as it would be their account that got billed if they leaked a token. I should note that the majority of our customers (80%+) used our API integration, not the browser-based UI (for which we had standard OAuth with rotating session tokens and refresh tokens with lifetimes on the order of a few days).
At the time I retired, we were handling ~1billion API calls a day globally.
Great use case! What a scale!