nolanmaris 0 Posted February 25 Hello  When integrating REST APIs in Delphi applications; handling authentication securely is a critical concern. 😇 Many modern APIs use OAuth 2.0, JWT, or API keys for authentication; but implementing these securely in a Delphi application can be tricky. Storing credentials safely, managing token expiration & preventing unauthorized access are some of the challenges developers face.🤔  I’m particularly interested in best practices for securely handling authentication tokens in a Delphi REST client. How should we store and refresh OAuth 2.0 tokens? What are the safest ways to manage API keys without exposing them in the source code? Also, are there any built-in Delphi components or third-party libraries that simplify secure authentication in REST-based applications🤔  If anyone has experience securing authentication in Delphi applications, I’d appreciate insights !!   Thank you !!🙂 nolanmarisdevops Share this post Link to post
Angus Robertson 612 Posted February 25 Treat API keys and tokens as if they are passwords, and encrypt them, as we have forever, at least in properly written applications.  The type of encryption and how you protect the key really depends on your security threat level.  Angus  1 Share this post Link to post
Patrick PREMARTIN 97 Posted February 25 Depending on what you are developing you should have : - an private ID for the user - an private ID for the application/software/site/... - an private ID for the device  Users or admins should be allow to stop access to each one.  For each API call you should sign the content of the call and identify the user/app/device or both with one public ID, sign with private ID and perhaps a public/priv key or one time code for the API endpoint. Of course all API call must be secured at least over https.  Use API access levels depending on the app or the user or both.  All keys/token must be stored encrypted locally and never published in a code repository (even private).  And if you do things in JS, never put your keys in the code. Users have access to it and can show anything. (never do JS things with a private API in a public site, it's an open door to your content) Share this post Link to post
Die Holländer 75 Posted February 25 Using Windows? You can take a look to it's "Credentialmanager". The Credential data is read/writeable (easy with Delphi) when logged in the machine and encrypted when outside the OS.  Share this post Link to post
Lars Fosdal 1825 Posted February 25 Or - if Azure is available, retrieve secrets from an Azure key vault. Share this post Link to post
GabrielMoraru 27 Posted 11 hours ago On 2/25/2025 at 10:44 AM, Patrick PREMARTIN said: - an private ID for the device Good luck obtaining a stable unique ID (hardware fingerprint) on Windows. 🙂 Share this post Link to post
Vincent Parrett 814 Posted 7 hours ago On 2/25/2025 at 10:02 PM, Die Holländer said: Using Windows? You can take a look to it's "Credentialmanager". I published this last month  https://github.com/VSoftTechnologies/VSoft.WindowsCredentialManager  I didn't implement any UI parts, just basic storage and retrieval of credentials.  Share this post Link to post
![Delphi-PRAXiS [en]](https://en.delphipraxis.net/uploads/monthly_2018_12/logo.png.be76d93fcd709295cb24de51900e5888.png){kind=logo}