Tweet
The API documentation recommends against using basic authentication. I am fine with using other methods, but I don't understand how end users are supposed to authenticate. Using API keys or HMAC seems to work better for applications that need to authenticate instead of users. If an external application needs to authenticate a user, which method is supposed to be used?
For example, I built an iOS app for my organization that connects to Espo. Currently, I present users with a login screen, which requires users to enter usernames and passwords. After authenticating using basic auth, tokens are stored in iCloud, which the app uses to authenticate during future sessions. The process always uses basic auth because the API key/HMAC method does not seem to make sense for this use case.
Am I wrong? Should I be using API Keys/HMAC for user-based authorization flows? I am confused because the documentation seems to suggest using basic auth for users and API Key/HMAC for applications.
As an aside, if there is a way to require 2FA for users from an external application, I would appreciate advice about how to enable that feature.
For example, I built an iOS app for my organization that connects to Espo. Currently, I present users with a login screen, which requires users to enter usernames and passwords. After authenticating using basic auth, tokens are stored in iCloud, which the app uses to authenticate during future sessions. The process always uses basic auth because the API key/HMAC method does not seem to make sense for this use case.
Am I wrong? Should I be using API Keys/HMAC for user-based authorization flows? I am confused because the documentation seems to suggest using basic auth for users and API Key/HMAC for applications.
As an aside, if there is a way to require 2FA for users from an external application, I would appreciate advice about how to enable that feature.
Comment