We’re constructing a public-facing API. The shoppers of this API shall be enterprise companions of ours – we’ll most likely have a private relationship with each, and I think there’ll solely ever be 10-40 of those clients. So we’re not coping with the identical issues that e.g. Spotify/Fb may with their public APIs.
We need to give every consumer completely different API learn permissions, so some stage of authorization is required.
We have been going to subject every buyer with an API key, and retailer the associated permissions in a desk. However now we’re questioning if we must always implement JWTs to deal with this.
Professionals of API keys:
- Easy. Straightforward for the shoppers to implement (pretty essential for us)
- Makes charge limiting easier, as there shall be fewer auth calls.
- Cheaper (we’re utilizing AWS lambda so paying per request)
- Faster for us to construct too
Professionals of JWTs
- Extra established manner of dealing with authorization. No must reinvent the wheel.
- Keep away from any unexpected pitfalls round implementing your personal entry mechanism
- Fewer database look-ups on our finish (however presumably slower stream general)
- …any others I’ve missed right here?
We’re leaning in the direction of API keys for simplicity, however need to guarantee we’re not lacking one thing essential.