API Keys and Privacy
draft-ietf-httpapi-privacy-00

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Active".
Expired & archived
Authors Rich Salz , Mike Bishop , Marius Kleidl
Last updated 2025-05-10 (Latest revision 2024-11-06)
Replaces draft-rsalz-httpapi-privacy
RFC stream Internet Engineering Task Force (IETF)
Formats
txt html xml htmlized bibtex bibxml
Reviews
ARTART IETF Last Call review (of -04) by Barry Leiba Ready
GENART IETF Last Call review (of -04) by Roni Even Ready
SECDIR Early review (of -02) by Christian Huitema Has nits
HTTPDIR Early review (of -02) by Mark Nottingham On the right track
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits Search email archive

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:

txt html xml htmlized bibtex bibxml

Abstract

Redirecting HTTP requests to HTTPS, a common pattern for human-facing web resources, can be an anti-pattern for authenticated API traffic. This document discusses the pitfalls and makes deployment recommendations for authenticated HTTP APIs. It does not specify a protocol.

Authors

Rich Salz
Mike Bishop
Marius Kleidl

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)