nolanmaris 0 Posted 6 hours ago Hello  When integrating REST APIs in Delphi applications; handling authentication securely is a critical concern. 😇 Many modern APIs use OAuth 2.0, JWT, or API keys for authentication; but implementing these securely in a Delphi application can be tricky. Storing credentials safely, managing token expiration & preventing unauthorized access are some of the challenges developers face.🤔  I’m particularly interested in best practices for securely handling authentication tokens in a Delphi REST client. How should we store and refresh OAuth 2.0 tokens? What are the safest ways to manage API keys without exposing them in the source code? Also, are there any built-in Delphi components or third-party libraries that simplify secure authentication in REST-based applications🤔  If anyone has experience securing authentication in Delphi applications, I’d appreciate insights !!   Thank you !!🙂 nolanmarisdevops Share this post Link to post
Angus Robertson 610 Posted 4 hours ago Treat API keys and tokens as if they are passwords, and encrypt them, as we have forever, at least in properly written applications.  The type of encryption and how you protect the key really depends on your security threat level.  Angus  1 Share this post Link to post
Patrick PREMARTIN 93 Posted 4 hours ago Depending on what you are developing you should have : - an private ID for the user - an private ID for the application/software/site/... - an private ID for the device  Users or admins should be allow to stop access to each one.  For each API call you should sign the content of the call and identify the user/app/device or both with one public ID, sign with private ID and perhaps a public/priv key or one time code for the API endpoint. Of course all API call must be secured at least over https.  Use API access levels depending on the app or the user or both.  All keys/token must be stored encrypted locally and never published in a code repository (even private).  And if you do things in JS, never put your keys in the code. Users have access to it and can show anything. (never do JS things with a private API in a public site, it's an open door to your content) Share this post Link to post
Die Holländer 68 Posted 2 hours ago Using Windows? You can take a look to it's "Credentialmanager". The Credential data is read/writeable (easy with Delphi) when logged in the machine and encrypted when outside the OS.  Share this post Link to post
Lars Fosdal 1807 Posted 2 hours ago Or - if Azure is available, retrieve secrets from an Azure key vault. Share this post Link to post
![Delphi-PRAXiS [en]](https://en.delphipraxis.net/uploads/monthly_2018_12/logo.png.be76d93fcd709295cb24de51900e5888.png){kind=logo}