Hi Eric! If there's no user authentication, you can use two-legged OAuth. That means there's only consumer credentials but no token credentials.
If the application is not hosted somewhere but deployed and installed at their user's, there's as far as I know no way to securely integrate consumer credentials. Unfortunately I think it's difficult to give you advice regarding key management, e.g. replacing compromised keys, without knowing the exact circumstances. Regards, Lukas Rosenstock 2010/7/30 Eric J. Smith <e...@codesmithtools.com> > I am developing an API that will be used by users of my customers. > Here is what the flow will look like: > > - User of my cloud based service creates an API key. > - User embeds the API key into their own custom applications. > - User deploys the application to their own end users. > - The application talks to our API. > > I am looking for advice on how to secure this API. I see a few issues: > > - API key has to be embedded into the users application and is > therefore vulnerable to being stolen and abused. > - Once an API key is compromised, it can easily be disabled, but how > will my users update their applications to use a new API key short of > having to rebuild the application and redeploy. > > Does anyone have any ideas on how to design this? > > -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.