This chapter covers

• Sharing individual resources via capability URLs
• Avoiding confused deputy attacks against identity-based access control
• Integrating capabilities with a RESTful API design
• Hardening capabilities with macaroons and contextual caveats

In chapter 8, you implemented identity-based access controls that represent the mainstream approach to access control in modern API design. Sometimes identity-based access controls can come into conflict with other principles of secure API design. For example, if a Natter user wishes to share a message that they wrote with a wider audience, they would like to just copy a link to it. But this won’t work unless the users they are sharing the link with ...