Advice for Operating a Public-Facing API
Serve your API at
api.example.com, never atexample.com/api. As your API’s usage grows, it will expand beyond your website/dashboard server and need to move to a separate server or many separate servers. […] Your API may also have more relaxed security restrictions in terms of TLS versions and ciphers accepted that you don’t want to relax on your dashboard website that handles sensitive information.[…]
Rather than bending over backwards trying to support poorly written code, don’t let their bad code function properly in the first place so it doesn’t get deployed.
[…]
With OAuth your API can’t be used from a simple curl request but has to be a custom multi-step process pulling in a whole OAuth library. Use static API tokens if you can, but make it easy to rotate them.
[…]
[Generate] a unique ID or UUID with every request, return it to the user in the message body somewhere, log it, and ask for it on your support form.
[…]
[Use] a short prefix for each type of random ID you create.
[…] Michael Tsai, a great article about Operating a Public Facing API by Joshua […]