Kyle Jensen

If you have some kind of website or service and need to create an API for developers, consider using two-legged OAuth. OAuth is an easy way to “secure” your nacent API because there are a lot of libraries you can use to handle both the server and client side. This will save you time and future-proof you when you need something full-blown.

I own part of a business that spends a lot of money collecting & creating valuable data about patent litigations. Some people pay us for bulk access to that data via an API. Obviously, we need to make sure requests to our API are authenticated and authorized. Also, we need to track usage to prevent abuse. Two-legged OAuth is perfect for that use.

In two-legged OAuth, you give a developer an API key and secret, which OAuth calls the OAuth consumer key and consumer secret. The OAuth protocol (and the numerous off-the-shelf-libraries that implement it) specify how this key/secret combo is used to cryptographically sign all API requests such that you can unambiguously identify who made the request.

That’s cool clearly. But, the best part is that you can tell the developers “We’re using two-legged OAuth. Please read the docs on it and use one of the numerous libraries.” Or, you can just copy & paste from those libraries when you’re providing example code for interacting with your API. That will save you a lot of time. Furthermore, you can be relatively sure you didn’t do anything too stupid or esoteric because you relied on an industry-standard protocol.

I highly recommended checking out two-legged OAuth before rolling your own authentication/authorization method for a new API.