Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

API keys are symmetrical, so every client needs a unique one. Singing allows the server to have only one certificate for all clients (webhook receivers). More convenient.


But the server has no problem storing a unique webhook address for each client.

I suppose you can just add a bearer token into the address, if you need that. A different address per association, containing a bearer token, with HTTPS, provides the same security as if the bearer token was sent in a separate header.


Webhooks basically never implement asymmetric signing. If you survey the industry 99% of the time if it’s signed, it’s hmac.


if the server can carry a tune that is




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: