- I install (or load) the app, via the browser.
- The browser looks at a manifest file (or some such) to see information about the app.
- The app tells the browser it needs to use the Twitter and Imgur API.
- The browser alerts the user of this, much like apps that request the users geo-location.
- The browser allows a 1-click ability for the user to “create an account with service X”.
- The browser goes out and creates these accounts and stores the API information in the browser.
- api.twitter.get(“1/statues/public_timeline.json”, callback);
- api.imgur.post(“1/image/upload”, options_hash, callback);
Now I can write a serverless app and not worry about someone jacking my API keys.Other benefits:
- The browser doesn’t have to ask me to create an account again, once I have a Twitter account, all apps use that.
- Would move rate limits to a user, rather than an application.
- Let’s the user know (permissions?) what this app will be doing with your data. Maybe even only allowing part of them, for example: I want to get Twitter avatars and draw on them, but I don’t care to save them.
- I can’t wait to use postMessage more, but until APIs start supporting it, we will still need to POST. The browser will do this for us so our app can post cross domain.