I’m assuming that at some point there will be the ability to revoke them from the user settings page on the site like with everything else.

Not too happy with sending unencrypted passwords anywhere to be honest, especially when I’m making sure my application stores the token securely using on-device hardware encryption and throws away everything else immediately.

I’m also a bit hesitant to send an unencrypted password, mostly for the risk of it being sniffed (without even putting an effort to it).

+1

+1

Then plan is to have developers register the Mashape API keys used for each application with us. When an authentication token is requested for a user, the application will be added to their “account settings” page and from there users will be able to revoke the tokens generated for each individual application. This is not implemented at present, and the token returned to all applications for a particular user is actually the same right now, however this will be changing in the near future.

The API will remain the same, the only added step would be having to fill up a form with the name of the application and the associated Mashape API key.

One way to avoid transmitting passwords in the clear would be to use RSA – you would upload a private key and encrypt passwords using the corresponding public key before transmitting them to us. What are your thoughts on something along those lines?

So the future system will in essence work like facebook does for its integrated apps, meaning access is decided on a per-application level?

RSA encryption does seem like the most simple and best way to solve it.

Makes sense. Also, +1 for RSA encryption.

+1