Why is the Open States API HTTP and not HTTPS and/or OAuth?
59 views
Skip to first unread message
Andrew Jaffee
May 4, 2016, 1:17:54 PM5/4/16
to Open State Project
Has anyone out there had problems with their Sunlight/Open States API key being stolen and abused? Does anyone feel this is a valid concern?
Granted, stealing and abusing someone else's API key would get what... free legislative info that is already free? But there always seems to be some idiot who wants to ruin a good thing.
I'm just concerned that if I use my API key over HTTP (clear text), someone will steal it, make a bunch of requests, and then Sunlight may throttle or terminate my access. I don't want to get blacklisted or have to register for a new key and then update my app and possibly my client apps.
Am I just worrying too much or have people found the need to, for example, add a layer like StormPath for processing their Open States API requests?
Thanks.
Granted, stealing and abusing someone else's API key would get what... free legislative info that is already free? But there always seems to be some idiot who wants to ruin a good thing.
I'm just concerned that if I use my API key over HTTP (clear text), someone will steal it, make a bunch of requests, and then Sunlight may throttle or terminate my access. I don't want to get blacklisted or have to register for a new key and then update my app and possibly my client apps.
Am I just worrying too much or have people found the need to, for example, add a layer like StormPath for processing their Open States API requests?
Thanks.
Andy Lo
May 6, 2016, 10:13:25 AM5/6/16
to Open State Project
Hi Andrew,
You're right, Open States probably should be behind HTTPS - I'll take a look into it. As for API key usage, we'll attempt to contact you if your usage seems suspiciously high before we take any action, and given the kind of traffic we often receive on the API, I'm betting you don't have anything to worry about. :)
You're right, Open States probably should be behind HTTPS - I'll take a look into it. As for API key usage, we'll attempt to contact you if your usage seems suspiciously high before we take any action, and given the kind of traffic we often receive on the API, I'm betting you don't have anything to worry about. :)
Andrew Jaffee
May 6, 2016, 11:21:13 AM5/6/16
to Open State Project
Andy:
Thanks so much for taking the time to answer. I appreciate the fact that Sunlight/Open States is so accommodating. I wish it weren't the case, but we live in times were people can get malicious with technology just for the "fun" (?) of it, so going to HTTPS (TLS) would be great.
Thanks again and I look forward to participating in your community.
Andrew
Thanks so much for taking the time to answer. I appreciate the fact that Sunlight/Open States is so accommodating. I wish it weren't the case, but we live in times were people can get malicious with technology just for the "fun" (?) of it, so going to HTTPS (TLS) would be great.
Thanks again and I look forward to participating in your community.
Andrew
Deanna Schneider
Jul 22, 2016, 1:53:32 PM7/22/16
to Open State Project
Has there been any movement on getting this API to use HTTPS? It doesn't appear to work with HTTPS yet, and I need to call it from an https site that complains if I reach out to http sites.
Andy Lo
Jul 22, 2016, 2:01:43 PM7/22/16
to Open State Project
Hi Deanna and all involved,
Apologies for the delays, but I have been inundated with other work at Sunlight along with discussions about the future of the Open States project. However, you should now be able to use HTTPS with the Open States API.
Apologies for the delays, but I have been inundated with other work at Sunlight along with discussions about the future of the Open States project. However, you should now be able to use HTTPS with the Open States API.
Reply all
Reply to author
Forward
0 new messages