For publishing workflows, you should be using an API token (which only allows ac... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

woodruffw on July 9, 2022 | parent | context | favorite | on: Congratulations: We now have opinions on your open...

For publishing workflows, you should be using an API token (which only allows access to the upload endpoint and nothing else; critically, you can’t modify your account via an API token). This is consistent with how most other services handle both user and machine interaction, and (IMO) strikes the right balance between security and practicality.

dlor on July 9, 2022 [–]

And I hear this is improving to allow short-lived publication tokens and federation to prevent them from being leaked :)

woodruffw on July 10, 2022 | [–]

Indeed! Thanks for bringing that up; there’s a ton of really great work coming in the near future.

Consider applying for YC's Summer 2025 batch! Applications are open till May 13
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact