Developer
Developer section describes authentication and authorization mechanisms used on the platform to perform automated tasks.
Authorization and Authentication
In order to talk to the BountyHub back-end, you have to be authenticated. I know that you are all hackers, but let's go through these concepts just in case :).
Authentication is basically allowing the back-end to know who is issuing the requests.
Authorization is a mechanism that allows/rejects requests. You can be authenticated, but not authorized to perform specific action. For example, if your personal access token does not have permission to fetch the job result, even though we know your app is making the request, we will not allow it to go through.
This works both ways, you can be authorized and not authenticated to perform the specific action. Let's say you are creating an account. The back-end has no idea who you are, but you are granted the permission to create this record.
Having said that, BountyHub currently provides 2 ways to authorize and authenticate:
- Cookies: Meant to be used by the browser when you are using the bountyhub.org website. Although you can automate stuff using cookies, it is not recommended and supported way of using the API.
- Personal Access Tokens (PATs): Unique random token associated to you, that has assigned permissions to call specific APIs. This is the recommended way of talking to the API.
Since PATs are the way you will (hopefully) be using to talk to the API, let's describe what is it and how it works.
Personal Access Tokens
Personal Access Tokens are meant to be the authentication and authorization mechanism used by your apps to talk to the BountyHub API. Each token gets an assigned scope, and on each API call issued with this token is checked against the assigned permissions.
PATs have the reserved prefix. The prefix is in form bh[VERSION]_[RANDOM_ELEMENT].
The version specifies the token version. This ensures that future changes to the PAT are handled differently, while preserving the old behavior until it is finally deprecated and removed.
The random element is the unique random identifier.
Personal access tokens can be used by your custom scripts, or by officially provided tools, such as bh CLI.