I am building a restful API that allows users to access and manage their own resources programmatically (via CURL/HTTP) instead of using the dashboard we provide.

I have my own authorization server and resource servers so there is no 3rd party involved. I am torn between using OAuth 2.0 and simple API Keys. OAuth 2.0 seems like an overkill, yet I don't want to release a public API then change the authorization method in the future.

Is it possible to build a hybrid solution where users can log-in to the dashboard, generate a "refresh-token", specify the scope, then copy this refresh-token and use it in their own code to call the /token endpoint and get an access token?

This would be similar to OAuth 2.0 except that the authorization step is done directly by the authenticated user on the 1st party dashboard. Is this a legitimate solution? Do you have any other recommendations?

CodePudding user response：

OAuth2 is to outsource user/password/MFA management, integration with social logins. You seem to manage users in your dashboard already. On that basis, issuing a manual access token as you described works, provided you sign it and the verify signature in the api/resource servers.