Guide to API Auth & A Novel Approach

The blog post explores various methods of API authentication, emphasizing the trade-offs between them, and introduces a novel approach adopted by Speakeasy. It discusses common authentication methods, including opaque tokens, OAuth 2.0, public/private key pairs, and signed tokens, each with its pros and cons related to speed, ease of integration, and security. Speakeasy's innovation involves using signed tokens as API keys with a unique signing key for each API key, addressing the challenges of token revocation and security while maintaining ease of use similar to shared secrets. The implementation involves asymmetrically signed JWTs, a JWKS URI for public key exposure, and ensures API gateways maintain short-lived caches of these public keys to enhance security and scalability. The post concludes with performance benchmarks using Envoy and Google Endpoints, demonstrating the effectiveness and scalability of this approach for modern API applications.