On Thu, Oct 17, 2013 at 8:05 AM, David M. Lee <dlee at digium.com> wrote: > > On Oct 17, 2013, at 12:22 AM, Paul Belanger <paul.belanger at polybeacon.com> wrote: > >> Now, the reason for having it was because this was the default way >> swagger passed credentials via HTTP. I'm not sure why they didn't >> simply add http://username:password at example.org support, but that is a >> different issue (in fact I plan to open a bug upstream). > > There have been a few cases where an HTTP or WebSocket client library > didn't support HTTP Basic auth. Putting the HTTP Basic auth header in > there is not hard, but adding an ?api_key param is dead simple. The Perl Protocol::WebSocket library does not support Basic auth and having api_key available was a very useful feature to me. I could imagine many other websocket libraries being the same way. Compared to basic auth, I don't see any significant security risk. Corey
