LISTSERV mailing list manager LISTSERV 16.5

Help for CODE4LIB Archives


CODE4LIB Archives

CODE4LIB Archives


CODE4LIB@LISTS.CLIR.ORG


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

CODE4LIB Home

CODE4LIB Home

CODE4LIB  December 2013

CODE4LIB December 2013

Subject:

Re: The lie of the API

From:

Kevin Ford <[log in to unmask]>

Reply-To:

Code for Libraries <[log in to unmask]>

Date:

Mon, 2 Dec 2013 12:58:21 -0500

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (225 lines)

 > I think the best compromise is what Google ends up doing with many of
 > their APIs. Allow access without an API key, but with a fairly minimal
 > number of accesses-per-time-period allowed (couple hundred a day, is
 > what I think google often does).
-- Agreed.

I certainly didn't mean to suggest that there were not legitimate use 
cases for API keys.  That said, my gut (plus experience sitting in 
multiple meetings during which the need for an access mechanism landed 
on the table as a primary requirement) says people believe they need an 
API key before alternatives have been fully considered and even before 
there is an actual, defined need for one.  Server logs often reveal most 
types of "usage statistics" service operators are interested in and 
there are ways to throttle traffic at the caching level (the latter can 
be a little tricky to implement, however).

Yours,
Kevin


On 12/02/2013 12:38 PM, Jonathan Rochkind wrote:
> There are plenty of non-free API's, that need some kind of access
> control. A different side discussion is what forms of access control are
> the least barrier to developers while still being secure (a lot of
> services mess this up in both directions!).
>
> However, there are also some free API's whcih still require API keys,
> perhaps because the owners want to track usage or throttle usage or what
> have you.
>
> Sometimes you need to do that too, and you need to restrict access, so
> be it. But it is probably worth recognizing that you are sometimes
> adding barriers to succesful client development here -- it seems like a
> trivial barrier from the perspective of the developers of the service,
> because they use the service so often. But to a client developer working
> with a dozen different API's, the extra burden to get and deal with the
> API key and the access control mechanism can be non-trivial.
>
> I think the best compromise is what Google ends up doing with many of
> their APIs. Allow access without an API key, but with a fairly minimal
> number of accesses-per-time-period allowed (couple hundred a day, is
> what I think google often does). This allows the developer to evaluate
> the api, explore/debug the api in the browser, and write automated tests
> against the api, without worrying about api keys. But still requires an
> api key for 'real' use, so the host can do what tracking or throttling
> they want.
>
> Jonathan
>
> On 12/2/13 12:18 PM, Ross Singer wrote:
>> I'm not going to defend API keys, but not all APIs are open or free.  You
>> need to have *some* way to track usage.
>>
>> There may be alternative ways to implement that, but you can't just hand
>> wave away the rather large use case for API keys.
>>
>> -Ross.
>>
>>
>> On Mon, Dec 2, 2013 at 12:15 PM, Kevin Ford <[log in to unmask]> wrote:
>>
>>> Though I have some quibbles with Seth's post, I think it's worth drawing
>>> attention to his repeatedly calling out API keys as a very significant
>>> barrier to use, or at least entry.  Most of the posts here have given
>>> little attention to the issue API keys present.  I can say that I have
>>> quite often looked elsewhere or simply stopped pursuing my idea the
>>> moment
>>> I discovered an API key was mandatory.
>>>
>>> As for the presumed difficulty with implementing content negotiation
>>> (and,
>>> especially, caching on top), it seems that if you can implement an
>>> entire
>>> system to manage assignment of and access by API key, then I do not
>>> understand how content negotiation and caching are significantly
>>> "harder to
>>> implement."
>>>
>>> In any event, APIs and content negotiation are not mutually
>>> exclusive. One
>>> should be able to use the HTTP URI to access multiple representations of
>>> the resource without recourse to a custom API.
>>>
>>> Yours,
>>> Kevin
>>>
>>>
>>>
>>>
>>>
>>> On 11/29/2013 02:44 PM, Robert Sanderson wrote:
>>>
>>>> (posted in the comments on the blog and reposted here for further
>>>> discussion, if interest)
>>>>
>>>>
>>>> While I couldn't agree more with the post's starting point -- URIs
>>>> identify
>>>> (concepts) and use HTTP as your API -- I couldn't disagree more with
>>>> the
>>>> "use content negotiation" conclusion.
>>>>
>>>> I'm with Dan Cohen in his comment regarding using different URIs for
>>>> different representations for several reasons below.
>>>>
>>>> It's harder to implement Content Negotiation than your own API, because
>>>> you
>>>> get to define your own API whereas you have to follow someone else's
>>>> rules
>>>> when you implement conneg.  You can't get your own API wrong.  I agree
>>>> with
>>>> Ruben that HTTP is better than rolling your own proprietary API, we
>>>> disagree that conneg is the correct solution.  The choice is between
>>>> conneg
>>>> or regular HTTP, not conneg or a proprietary API.
>>>>
>>>> Secondly, you need to look at the HTTP headers and parse quite a
>>>> complex
>>>> structure to determine what is being requested.  You can't just put
>>>> a file
>>>> in the file system, unlike with separate URIs for distinct
>>>> representations
>>>> where it just works, instead you need server side processing.  This
>>>> also
>>>> makes it much harder to cache the responses, as the cache needs to
>>>> determine whether or not the representation has changed -- the cache
>>>> also
>>>> needs to parse the headers rather than just comparing URI and content.
>>>>   For
>>>> large scale systems like DPLA and Europeana, caching is essential for
>>>> quality of service.
>>>>
>>>> How do you find our which formats are supported by conneg? By
>>>> reading the
>>>> documentation. Which could just say "add .json on the end". The Vary
>>>> header
>>>> tells you that negotiation in the format dimension is possible, just
>>>> not
>>>> what to do to actually get anything back. There isn't a way to find
>>>> this
>>>> out from HTTP automatically,so now you need to read both the site's
>>>> docs
>>>> AND the HTTP docs.  APIs can, on the other hand, do this.  Consider
>>>> OAI-PMH's ListMetadataFormats and SRU's Explain response.
>>>>
>>>> Instead you can have a separate URI for each representation and link
>>>> them
>>>> with Link headers, or just a simple rule like add '.json' on the
>>>> end. No
>>>> need for complicated content negotiation at all.  Link headers can be
>>>> added
>>>> with a simple apache configuration rule, and as they're static are
>>>> easy to
>>>> cache. So the server side is easy, and the client side is trivial.
>>>>    Compared to being difficult at both ends with content negotiation.
>>>>
>>>> It can be useful to make statements about the different
>>>> representations,
>>>> and especially if you need to annotate the structure or content.  Or
>>>> share
>>>> it -- you can't email someone a link that includes the right Accept
>>>> headers
>>>> to send -- as in the post, you need to send them a command line like
>>>> curl
>>>> with -H.
>>>>
>>>> An experiment for fans of content negotiation: Have both .json and 302
>>>> style conneg from your original URI to that .json file. Advertise both.
>>>> See
>>>> how many people do the conneg. If it's non-zero, I'll be extremely
>>>> surprised.
>>>>
>>>> And a challenge: Even with libraries there's still complexity to
>>>> figuring
>>>> out how and what to serve. Find me sites that correctly implement *
>>>> based
>>>> fallbacks. Or even process q values. I'll bet I can find 10 that do
>>>> content
>>>> negotiation wrong, for every 1 that does it correctly.  I'll start:
>>>> dx.doi.org touts its content negotiation for metadata, yet doesn't
>>>> implement q values or *s. You have to go to the documentation to figure
>>>> out
>>>> what Accept headers it will do string equality tests against.
>>>>
>>>> Rob
>>>>
>>>>
>>>>
>>>> On Fri, Nov 29, 2013 at 6:24 AM, Seth van Hooland <[log in to unmask]>
>>>> wrote:
>>>>
>>>>>
>>>>> Dear all,
>>>>>
>>>>> I guess some of you will be interested in the blogpost of my colleague
>>>>>
>>>> and co-author Ruben regarding the misunderstandings on the use and
>>>> abuse
>>>> of
>>>> APIs in a digital libraries context, including a description of both
>>>> good
>>>> and bad practices from Europeana, DPLA and the Cooper Hewitt museum:
>>>>
>>>>>
>>>>> http://ruben.verborgh.org/blog/2013/11/29/the-lie-of-the-api/
>>>>>
>>>>> Kind regards,
>>>>>
>>>>> Seth van Hooland
>>>>> Président du Master en Sciences et Technologies de l'Information et
>>>>> de la
>>>>>
>>>> Communication (MaSTIC)
>>>>
>>>>> Université Libre de Bruxelles
>>>>> Av. F.D. Roosevelt, 50 CP 123  | 1050 Bruxelles
>>>>> http://homepages.ulb.ac.be/~svhoolan/
>>>>> http://twitter.com/#!/sethvanhooland
>>>>> http://mastic.ulb.ac.be
>>>>> 0032 2 650 4765
>>>>> Office: DC11.102
>>>>>
>>>>
>>
>>

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003

ATOM RSS1 RSS2



LISTS.CLIR.ORG

CataList Email List Search Powered by the LISTSERV Email List Manager