The authentication system for this API is a fucking joke. Rather than use established standards like oAuth or hash-tokens they require that users of the API use the SAME CREDENTIALS that are used to sign-in to their system. This is a KNOWN ANTI-PATTERN in the technical world for many reasons.

It’s problematic because it requires integrators to keep this password on file. If there were any security issues in the integrator platform it could expose this BioTrack credentials.

It’s completely stupid to have users share their username/password with integrators. Ask anyone. Every other technology company on the planet uses some kind of dedicated/unique tokens.

What BioTrackTHC Should Do

First, all integrators should be issued a unique API key. This would allow each integrator to be positively identified.

Secondly, BioTrackTHC should implement some method for users to generate a unique API token. This API token is what should be given to the integrator. In this fashion the User Account and the API access can have different permission levels and these keys can be revoked or re-issued without any impact on the User Account.

My hope is that BioTrackTHC will listen to this advice and implement this the proper way. The way that has been well defined and accepted by the technology community for over a decade.

Hey BioTrackTHC! Where’d you get your security model? 1989?