--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Visit this group at http://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.
Has anyone looked into making their APIs behave more like web pages (as far as API management goes)? That is, NOT require AT ALL an API KEY sign up, and solve things at run-time (note that API KEYS are VERY different than user auth)?
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Visit this group at http://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.
Wouldn't API key is proxy for live human and runs on top of users context ... ?
so, one way to look at this is "how can we make API access onboarding fully automated?" or "how can we do realtime API key management?"
On Jul 21, 2015, at 11:32 PM, sgoto <samue...@gmail.com> wrote:Has anyone looked into making their APIs behave more like web pages (as far as API management goes)? That is, NOT require AT ALL an API KEY sign up, and solve things at run-time (note that API KEYS are VERY different than user auth)?Many web pages require some sort of sign-up, these days often including a confirmation loop via email. Indeed, the confirmation loop is generally perceived as having the primary purpose of *excluding* automated, untouched-by-human-hands access (what you want).API Keys are "different from user auth" in that their main-line use flow is simpler, but this handy short-cut is, IME, always grounded in an established user login session based on an established user identity confirmed by one of those pesky register-and-confirm human-mediated workflows.
Even APIs whose main purpose is purely public tend, these days, to require an API key (hence developer-user, hence identity, hence confirmation), for monitoring (who's using our API?), value-demonstration (see, boss? this API stuff makes us money!), and control (e.g., DOS blocking). Google famously learned that, a few years ago, causing them to add keys to even their most basic APIs. Key management ensures that such reporting and control covers the expected user, not some spoofing DOSer.So, yeah: someone has investigated this, and learned that it's dangerous, and now it's a recognized Best Practice to do what's causing you grief. I'm sympathetic to your problem of "thousands of APIs," but I 'm not optimistic you'll be able to convince "thousands of API providers" to lower the draw bridge and let you in, unless you can find some other way to keep Melvin Malice out. Having negotiated security protocols, a bit, I'm even more doubtful that this convincing will somehow be easier or quicker than just slogging through the thousands of registration and key-allocation procedures.
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Visit this group at http://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.
On Jul 21, 2015, at 11:32 PM, sgoto <samue...@gmail.com> wrote:Has anyone looked into making their APIs behave more like web pages (as far as API management goes)? That is, NOT require AT ALL an API KEY sign up, and solve things at run-time (note that API KEYS are VERY different than user auth)?Many web pages require some sort of sign-up, these days often including a confirmation loop via email. Indeed, the confirmation loop is generally perceived as having the primary purpose of *excluding* automated, untouched-by-human-hands access (what you want).API Keys are "different from user auth" in that their main-line use flow is simpler, but this handy short-cut is, IME, always grounded in an established user login session based on an established user identity confirmed by one of those pesky register-and-confirm human-mediated workflows.Even APIs whose main purpose is purely public tend, these days, to require an API key (hence developer-user, hence identity, hence confirmation), for monitoring (who's using our API?), value-demonstration (see, boss? this API stuff makes us money!), and control (e.g., DOS blocking). Google famously learned that, a few years ago, causing them to add keys to even their most basic APIs. Key management ensures that such reporting and control covers the expected user, not some spoofing DOSer.So, yeah: someone has investigated this, and learned that it's dangerous, and now it's a recognized Best Practice to do what's causing you grief. I'm sympathetic to your problem of "thousands of APIs," but I 'm not optimistic you'll be able to convince "thousands of API providers" to lower the draw bridge and let you in, unless you can find some other way to keep Melvin Malice out.
Having negotiated security protocols, a bit, I'm even more doubtful that this convincing will somehow be easier or quicker than just slogging through the thousands of registration and key-allocation procedures.
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Visit this group at http://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.