Macaroons Escalated Quickly (
from tedu to cloudsec on 31 Jan 21:56

Let’s implement an API token together. It’s a design called “Macaroons”, but don’t get hung up on that yet.

Macaroons are user-editable tokens that enable JIT-generated least-privilege tokens. With minimal ceremony and no additional API requests, a banking app Macaroon lets you authorize a request with a caveat like, I don’t know, {'maxAmount': '$5'}. I mean, something way better than that, probably lots of caveats, not just one, but you get the idea: a token so minimized you feel safe sending it with your request. Ideally, a token that only authorizes that single, intended request.