For a HTTP(S) API, which is better (/ which is better under which circumstances)?
- Hawk authentication (a secret key is used to create a signature which is transmitted with the request: similar to AWS Signature v4)
- API key authentication (a secret key itself transmitted with the request)
A downside of Hawk is that since the secret key isn't transmitted, but just a signature, then the server has to store the secret part of the key somewhere in plain text (/ able to convert it to plain text) in order to sign the incoming requests itself to compare to the incoming signature.
A downside of the API key is that the secret key itself is transmitted.
(Acceptable answers could include "neither: instead do X in circumstance Y because Z")
