Friday, July 21, 2023

Advice for Operating a Public-Facing API

Joshua Stein:

Serve your API at, never at As your API’s usage grows, it will expand beyond your website/dashboard server and need to move to a separate server or many separate servers. […] Your API may also have more relaxed security restrictions in terms of TLS versions and ciphers accepted that you don’t want to relax on your dashboard website that handles sensitive information.


Rather than bending over backwards trying to support poorly written code, don’t let their bad code function properly in the first place so it doesn’t get deployed.


With OAuth your API can’t be used from a simple curl request but has to be a custom multi-step process pulling in a whole OAuth library. Use static API tokens if you can, but make it easy to rotate them.


[Generate] a unique ID or UUID with every request, return it to the user in the message body somewhere, log it, and ask for it on your support form.


[Use] a short prefix for each type of random ID you create.

1 Comment RSS · Twitter · Mastodon

[…] Michael Tsai, a great article about Operating a Public Facing API by Joshua […]

Leave a Comment