Good approach for a web API token scheme?

Question

I am working on a REST API for a web application that up until now we have developed internally for a couple of companion applications. Now that we are looking at opening up to outside developers we want to add tokens to the API in order to help identify who is making requests and in general to help manage it's use. At this point we are using https and basic authentication for user authentication on the API.

The token scheme we've been discussing would be very simple where each developer would be assigned 1 or more tokens and these tokens would be passed as a parameter with each request.

My question is if you've done something similar before how did you do it (did you do more or less, how did you handle security, etc) and do you have any recommendations?

Answer 1

First, you might want look at http://OAuth.net. Depending on your usecases, it might provide the security you need.

As to the token, it's a BLOB to most protocols, including OAuth. You can put any information you need in it in any format.

Here is what we do,

1. First we assign each developer a key with associated secret.
2. The token itself is an encrypted name-value pairs. We put things like username, expiry, session id, roles etc in there. It's encrypted with our own secret so no one else can make it.
3. For easy of use with web API, we use the URL-safe version of Base64 so the token is always URL-safe.

Hope that helps!