Which REST-based authentication type remains valid until the service endpoint provider or the client manually revokes it?
A. Access tokens
B. Client certificates
C. Session cookies
D. API keys
Answer (2)
The REST-based authentication type that remains valid until manually revoked is D. API keys. They are issued to clients and allow for persistent access unless specifically invalidated. This makes them suitable for ongoing API interactions without the need for renewal.
;
When discussing REST-based authentication methods, it's important to understand how different methods manage their validity period and revocation process.
(A) Access tokens : Access tokens are often used in OAuth 2.0 authentication. They have a short lifespan and can be revoked by the server or client. They are typically refreshed before they expire, requiring continuous re-authentication.
(B) Client certificates : These are used in mutual TLS (Transport Layer Security). Client certificates are considered a strong form of authentication and remain valid until they expire or are revoked by the certificate authority.
(C) Session cookies : These are used to maintain a user's session over multiple requests. They generally persist for the duration of a session, managed server-side, and can be invalidated by server actions or after a certain period.
(D) API keys : API keys are unique codes used to identify the calling program or user. They do not expire until they are manually revoked by either the client or the service endpoint provider.
The correct answer is (D) API keys because they remain valid until the service endpoint or the client explicitly revokes them. Unlike access tokens or session cookies, which may expire on their own, API keys last until they are manually invalidated.
In summary, while access tokens and session cookies have a natural expiration period and client certificates rely on expiry dates or revocation by authority, API keys persist and are valid indefinitely unless acted upon by the service or client to revoke them.
