> It’s simple, but insecure unless wrapped in HTTPS. That’s why it’s almost never used in production anymore.

I mean, if you’re going to write a post about auth methods, you gotta say more than this.

There is another kind, which is X.509 client certificates, which is more secure and more versatile than other kinds. However, it does mean that if you want to login from more than one computer, you need the certificate and private key on all of them (but this can be an advantage as well as being a disadvantage). It is capable of handling authorization as well as authentication, if you add extensions for this use. The private key may be passworded, which can provide additional security; storing one certificate on a computer not connected to the internet and then issuing another certificate to yourself which will be the one you will actually use, can also provide additional security; in both cases, the service provider does not need to worry about these things and the client can do how they intend to do.

Another method which may be suitable for some uses (although the working of web browsers means that it will not work securely in a web browser, unless you have an extension, but it can work easily in other programs) is HMAC, although this is not suitable for all uses. For idempotent write operations which are not intended to be secret, it might work.