The Movie Database Support

The v3 auth is inherently insecure as passing secrets in a URL (e.g. session id, API key, etc) is a security vulnerability as they are saved in browser history, server logs, people can post a link containing credentials unaware that they have exposed their auth details, can be exposed in the 'Referer' header, can be cached by analytics companies, etc.

The v4 auth uses a Bearer token in a header to avoid this vulnerability, however it appears to require a User token to authenticate, as such there is no secure way to authenticate an application without user credentials.

Would it be possible to add support for passing the API key and Session ID in a header for a more secure v3 auth? Would it also be possible to add support for generating v4 auth application and guest session tokens that do not require user credentials?

3 replies (on page 1 of 1)

Jump to last post

v3 is getting support for the Bearer tokens shortly (next week or two). My open ticket for that is here.

You can currently use your read token as a replacement for the api_key param on v4, and that's what will be getting added to v3. This token does not need user authentication, feature wise, it has parity with the api_key. The only thing needing user auth is the user features, same as the way session ID's and guest session ID's work.

I can post an update on this discussion when v3 has support for the bearer token.

If you wish, you can now use the same method to authenticate v3 & v4. Just pass your v4 token in as a Authorization header, as a Bearer token. Same as v4.

Awesome, thanks!

Global

s focus the search bar
p open profile menu
esc close an open window
? open keyboard shortcut window

On media pages

b go back (or to parent when applicable)
e go to edit page

On TV season pages

(right arrow) go to next season
(left arrow) go to previous season

On TV episode pages

(right arrow) go to next episode
(left arrow) go to previous episode

On all image pages

a open add image window

On all edit pages

t open translation selector
ctrl+ s submit form

On discussion pages

n create new discussion
w toggle watching status
p toggle public/private
c toggle close/open
a open activity
r reply to discussion
l go to last reply
ctrl+ enter submit your message
(right arrow) next page
(left arrow) previous page