Legacy Authentication Methods 🗄️ Archived
Archived documentation for deprecated authentication methods
This document covers authentication methods that are no longer supported.
Basic Authentication (Deprecated 2023)
Basic authentication was deprecated due to security concerns.
How It Worked
GET /api/resources
Authorization: Basic base64(username:password)import base64
import requests
username = "user@example.com"
password = "password"
credentials = f"{username}:{password}"
encoded = base64.b64encode(credentials.encode()).decode()
headers = {
"Authorization": f"Basic {encoded}"
}
response = requests.get(url, headers=headers)Why It Was Deprecated
- Passwords sent with every request
- No token expiration
- Difficult to revoke access
- Not suitable for third-party integrations
Migration Path
Replace with JWT authentication:
# Get JWT token
response = requests.post(
"https://api.example.com/v1/auth/login",
json={"email": username, "password": password}
)
token = response.json()['access_token']
# Use token
headers = {"Authorization": f"Bearer {token}"}API Tokens v1 (Deprecated 2024)
Original API tokens were replaced with a more secure version.
Old Format
api_v1_1234567890abcdefIssues
- No expiration
- No granular permissions
- Couldn’t be rotated easily
- No usage tracking
New Format
sk_live_abc123xyz789...Migration
- Generate new API key in dashboard
- Update your code to use new key
- Delete old API token
OAuth 1.0 (Sunset 2023)
OAuth 1.0 was sunset in favor of OAuth 2.0.
Key Differences
| OAuth 1.0 | OAuth 2.0 |
|---|---|
| Complex signing | Bearer tokens |
| No refresh tokens | Refresh tokens |
| Limited scopes | Granular scopes |
Migration to OAuth 2.0
See our OAuth 2.0 guide for implementation details.
Session Tokens (Deprecated 2022)
Old session-based authentication for web apps.
How It Worked
# Login
response = requests.post(
"/api/login",
json={"username": "...", "password": "..."}
)
session_token = response.json()['session_token']
# Store in cookie
response.set_cookie('session', session_token)Replacement
Use JWT tokens with HttpOnly cookies for web applications.
API Keys with Query Parameters (Deprecated 2023)
Passing API keys in URL query parameters was deprecated for security reasons.
Old Method (Insecure)
curl "https://api.example.com/resources?api_key=secret123"Problems
- Keys logged in server logs
- Keys visible in browser history
- Keys leaked in referer headers
- Keys shared in screenshots
Current Method
Always use headers:
curl "https://api.example.com/v1/resources" \
-H "X-API-Key: secret123"Master API Keys (Removed 2023)
Master keys with full account access were removed.
Why They Were Dangerous
- One compromised key = full account access
- No way to limit permissions
- Difficult to audit usage
- No key rotation policy
Replacement
Use role-based API keys with specific scopes:
{
"name": "Production Key",
"scopes": [
"read:resources",
"write:resources"
]
}Historical Timeline
| Date | Change |
|---|---|
| Jan 2022 | Session tokens deprecated |
| Jun 2022 | Basic authentication deprecated |
| Dec 2022 | OAuth 1.0 sunset |
| Mar 2023 | Query parameter API keys disabled |
| Jun 2023 | Master API keys removed |
| Sep 2023 | API tokens v1 deprecated |
| Dec 2023 | All legacy auth methods disabled |