API changes: More security
Thursday, April 3rd, 2008We have changed our API in an important way in order to prevent Cross Site Request Forgery attacks. APIs which use implicit authentication - e.g., HTTP Basic authentication or cookies - are vulnerable to such attacks.
What’s the change?
- We have added an explicit ‘login’ command which returns a “token” for the session if the login is successful.
- Subsequent commands in the session must all include this token in order to be processed.
- The token expires after a “reasonable” time-out — on the order of 10 minutes or so.
I hope it will not be too much of a hassle for you to adapt your scripts. Security is paramount when it comes to handling finances.

