El RIDO

What's this then? https://github.com/diafygi/webcrypto-examples#hmac :wink: I would definitely avoid introducing any new crypto/encoding (apart from pako, until there is mainstream browser support for deflate) libraries at this point. We had...

PS: After thinking about this in the terms of #347, I start to really like this HMAC idea. The paste would only need to returned by the API if it...

HMAC: I assumed the HMAC would be ID (known to server) + 256 bit key + password (may be blank). The key can be brute forced as well with or...

Quick recap of the API flow as I understand it from the above: 1. Paste creation as usual, server responds with paste ID, (delete)token and a (new) public, paste specific...

Addendum: Had a think about if it's possible to avoid having to send two requests during the creation. The problem there is that the creator doesn't know the paste ID,...

Ok, but then how is the pasteToken shared with the visitor? Would it be appended to the URL? We also can't use the message, the visitor needs to be able...

Sorry, now I am confused. Could you please share the amended API flow how you imagine it? Reg. rate limiting - currently we only limit the creation, but not the...

Ok, so you would prefer to have two calls for retrieval. I'll do a PR with a simple implementation and we can then discuss further steps based on it.

If I may make a suggestion: Should we maybe model this in something like [Verifpal](https://verifpal.com/), first? The last time we worked on this we changed the implementation several times in...

Please have a look at #447 and the discussion we had there (if not already done). It implements something like you describe, but we found that it is not as...