Why are there Authentication Differences between API and SDK?

2023-01-30

by Sara Jakša

Recently, I have been working on the integration for Snowflake. I have to admit, I was impressed by how much one could do through the API. But there was one thing that confused me - authentication types.

When looking at the documentation, there was multiple types of API authentication possible, but all of them seems to require quite a lot of work on the side of whoever is integration it. Or we would need an already valid API credentials in order to create the API credentials we could then use.

The later is a catch 22 situation. But the former I try to avoid, since I know that I will be the one having to help with all the problems they will encounter with this.

So then I looked at the SDK, and whole and behold, it can use the username and password combination to authenticate.

That would solve a lot of our problems. Username and password is something all people understand, so there is not as many misunderstandings about what we expect from them. And while it is not secure, the API does allow us to do all and more than what is avalable on the user interface. So any credentials they would be giving us would pose the same risks.

There are some passwords habits, that could make this less safe, but I will need to assume some competence on their side for this.

So I happy went and try to figure out, if I could use the same authentication, but it can be only used in SDK. After a day of trying to reverse engineer it, I gave up and just used the SDK.

So here is my pet peeve. What kind of thinking allows for some authentication to be used in the SDK, but not in the raw HTTP calls to the API? I am seriously baffled as to why there are the differences there?

Do they assume, that only beginners would use the SDK? Well, they don't provide any help with writing queries, so I have doubts about this? Or to they only trust themselves to be able to protect credentials, but not the rest of us?

I mean, if this was not to be used, then why include it in the SDK at all?

I wish, that if they have implemented this type of authentication, they would also made it available to the rest of us, that want to use HTTP calls, and not the SDK. Or at least for somebody to come and explain the reasoning behind it.