I'm curious why the solution here is bearer tokens bound to asymmetric keys instead of a preshared key model. Both solutions require a new browser API. In either case the key is never revealed to the caller and can potentially be bound to the device via a hardware module if the user so chooses.
Asymmetric crypto is more complex and resource intensive but is useful when you have concerns about the remote endpoint impersonating you. However that's presumably not a concern when the authentication is unique to the ( server, client ) pair as it appears to be in this case. This doesn't appear to be an identity scheme hence my question.
(This is not criticism BTW. I am always happy to see the horribly insecure bearer token model being replaced by pretty much anything else.)
Asymmetric crypto is more complex and resource intensive but is useful when you have concerns about the remote endpoint impersonating you. However that's presumably not a concern when the authentication is unique to the ( server, client ) pair as it appears to be in this case. This doesn't appear to be an identity scheme hence my question.
(This is not criticism BTW. I am always happy to see the horribly insecure bearer token model being replaced by pretty much anything else.)