Home    |    GitHub Page    |    API    |    FAQ

Joplin API - Token in HEADER vs Query parameters


Could it be possible to move the usage of the token from the query parameter to a HEADER like X_JOPLIN_TOKEN or something like that, which could be little be more secure and avoiding to be exposed by intermediaries ?

I mentioned this a year ago. Unfortunately nothing came of my suggestion.

I can't really recall what the reasoning was (for not allowing me to move the token to the header).

if the anwser will be no, we will forget that.
thanks @tessus

I think it was because I mentioned that when I usually write an API that I allow all options: HEADER, POST, and GET for all parameters, and allow people to set precedence. Maybe Laurent thought I wanted to do the same in Joplin.

I am not saying that the answer will be no. It is also very much possible that Laurent changed his mind or that he was never opposed to using a HEADER for the token. I'm just saying that the discussion back then never had a real conclusion.

I know, I post that here because the issue I opened for that topic is getting closed again and I open it again and so on :slight_smile:

I don't see any clear reason why we should support this other than personal preferences. For example, it won't allow implementing new types of apps or new features, so based on this I'd rather not add support for header token.

I believe the original reason for it was because the query URL ends up in log, but so could the header parameters. In any case, logging must be done in a secure way.