API access questions

(Uni) #1

I occasionally make some simple APIs for external consumption - eg: feeds of assets as json for… ‘reasons’

To control access/abuse, but still leave the asset public, I add a condition to the rendering along the lines of begin_globals_get_apikey^eq:magic-dust - therefore, no magic dust = error message.

Works OK, means I can keep it all relatively frictionless and if I notice problems, I can change the key. However, obviously, it’s extremely limited. So, what I’m looking for are suggestions of how this might be done better - ideally, something that allows a logged in user to manage their own api key, and also for me to identify and manage those keys.

Just to be clear, the endpoint is going to be live and public, and needs be accessed by link only, so the api key is probably going to be sent in the clear, as a get variable. I’m OK with that - in many cases there won’t even be a referrer as the request will come from unpredictable software like a calendar, or the user will have clicked a link in an email.

I’m more looking for smart ideas around letting users manage their API keys, and fast ways of confirming a match when a request is made.