________________________________________________________________________________
I also love basic auth, and built in an option for it into my blog/publishing engine.
It's supported by pretty much every browser and client, going back to classics like Mosaic and Netscape.
I can also use it flexibly combined with cookies, since the initial request already contains cookies, and I can skip auth for those who already have them.
The biggest advantage of using HTTP auth for my site I've found is that it's cut my bot traffic to nearly zero.
I'm now sure that most traffic is, if not 100% human, at least has a human element.
I set the credentials to admin:admin and AzureDiamond:hunter2 by default.
To be fair, I run a service for hackers and don't care about being found in search engines, like, at all.
I was with Randall until I wrote my own OAuth v1 client for some scripts I wrote to work with TripIt’s API.
OAuth is a pain, but being able to scope and revoke tokens is much nicer than giving developers an API key pair and hoping that they don’t message it to their peers over Slack.
You can still scope with basic auth, it just ends up being implemented server side and not inside of a JWT. Like what AWS does with IAM, for example :D
That’s a good point.
To be clear: I am a gigantic fan of API key pairs.
I have never been able to get basic auth to work with apache/mod_wsgi/django. Someone somewhere is stripping out the header.