Introducing tokens

Introducing tokens

This is yet another benefit from the introduction of our new frontend back in november: starting today, Superfeedr offers authentication tokens.

Up until now, you had to use your main Superfeedr login and password to perform API calls. This was simple but could also expose you to a security risk when working with a team if you had to share these credentials.

Today, we’re introducing simple authentication tokens. In practice, they behave exactly like passwords. You will still use HTTP basic auth against our https://push.superfeedr.com endpoint: use HTTPS. The only important difference is that they can only authenticate against the API, and they can also be limited in scope. This means that a given token can only be used for certain calls:

  • subscription
  • unsubscription
  • listing subscriptions
  • retrieving a feed’s status
  • xmpp authentication

You can generate an unlimited number of tokens, and revoke them at will. Feel free to read more in our docs on how to use them with PubSubHubbub or with XMPP.

Implementation

This is actually fairly simple, but I want to give a quick thank you to Bruno Pedro, from ApiUX for his quick help and tips.

The tokens are 32 bytes long strings, randomly generated, except for a small CRC. Using a CRC inside the string allows us to not hit the database for obviously wrong tokens.

Liked this post? Read the archive or

On the same topic, check we love http basic and heartbleed: change your passwords and tokens.

Previously, on the Superfeedr blog: Moving to Prosody.im.