We would like to develop an app which can be used by multiple customers (of ours). Each app will be customized to each customer of ours.
What we are unsure about is how to handle authentication keys and API keys? Do we create one set of these for each of our customers or do we just have one account and all our customers use the one set of API keys. The latter approach makes me nervous because if one customer is banned (for what ever reason) then all my customers will suffer since they all share the same API key.
Any guidance from Postmates development team would be appreciated.
Currently, we do not support provisioning multiple API keys for a single account.
I recommend having each client create an API key. This also would allow your customers to use their own payment method, versus a single payment method for every customer.
Hope this helps, let me know if you have any more questions!
Related
I have a web app in which I need to use the google translation and language detection API. Following the docs I can consume the API using my service account. However, I have different clients (users) who use my service and each one should be billed separately, so I need a way to calculate the pricing for each user separately.
I read on other SO questions that making a service account per client is a bad idea. Also, I need a way to allow each user to enable/disable the translation feature programatically (my web app is a service on the cloud, so for example if the solution was to create a service acc/user, then I need a programmatic way to do that). Any ideas about the best available way to handle this?
This question is related to Stackoverflow Question -> Access licence number for UPS
When I registered for Developer APIs, I was given a 4-part credential: User ID, Password, Access Key, and Shipper Number. I used this and the CIE URL to get rates, print shipping labels, etc. So far so good. Everything works. I have been able to build and test desktop and web GUIs that use UPS API.
Now I understand that I need to implement UPS Registration API and Licensing API to apply for certification. I applied with UPS for this and received the API package. Again, so far so good. Now, I have two questions:
1- I understand that we can use the Registration API to authenticate existing UPS accounts for end users to access my application. We can also use it to allow the end user to create one or more new UPS accounts for use with the application. If Registration API takes care of this, what is the use of the Licensing API? UPS documentation isn't widely available and the documentation that comes with the API kit is very minimal.
2- My app will use the end users' UPS account numbers for shipping, but which Access Key should it use? Should it use the Access Key of each end user, or my Access Key for everyone? If the former, then should this end-user Access Key be obtained using the Licensing API? Is that the Licensign API's purpose?
In essence, I think both questions are the same but you can see how perplexed I am with respect to this requirement of implementing Registration and Licensing APIs!
Any insight from you experts would be REALLY great!
UPDATE:
Just wanted to add another question:
3- I am using UPS Web Services for all UPS functionality. The package that contains Licensing API and Registration API has a "Reference.cs" for the Registration API but not for Licensing API (only XSDs in that folder). Is the Licensing API not available as Web Service?
Questions on the licensing API should be referred to the folks at UPS Ready. This is not the proper forum.
I'm working on an app and websites. They have related information such as users, contracts, etc. What is the reason for designing an API and not connecting directly to the database?
Edit:
I'm just starting development and have no experience with web services. Please be as thorough as possible.
Sites such as Facebook, Google, and Twitter could never let third party apps connect directly to their database: it's an enormous security risk. (Would you be comfortable if Facebook allowed anyone to access their database, including private user information and messages?)
APIs serve as a gate through which third party apps can get the kinds of information they are permitted to access.
There are several reasons why you would use an API instead of using direct access.
The first 2 that come to mind:
Using an API allows you to write the client code without knowing any details of the specific implementation, so if you change your database structure or location for instance, you need only rewrite the API wrapper code, not everywhere its referenced.
It allows you to have different levels of authentication. As mentioned in another answer, it is not ideal for all users of an application to have access to every other users data.
Several web service APIs have you sign up for an API key. For example, UPS Web services requires a key, which is included in calls to their service -- In addition to the username and password.
What is this key used for by the provider? Perhaps UPS is the only one to require both API key and username/password?
One idea is that they use it to limit or measure API usage, but it seems to me that a setting in the users profile could easily do the same thing -- especially since you generally have to get an account w/ username and password to get the API in the first place.
There are two predominant use cases. The first is to measure, track and restrict API usage. If someone is building a service that allows third parties to access it, the service provider may want to control (or at least know) who has access so that they can try and prevent things like denial of service attacks. On the measure and track side, interesting information can be obtained such as knowing which applications are popular for accessing the service or which features people use the most.
The other use case is related to security and authentication. It is unwise for a service provider to have third party applications and services require users to give up their username and password for the primary service. This is a huge exposure. That is why many services are standardizing on protocols such as OAuth, which provides delegated access via authorization to a user's data. While not foolproof, it is definitely preferable to distributing user credentials to unknown, and untrusted, parties.
Most of the time it is to monitor how developers are using the web-api. If they somehow disagree with your usage of the api it provides a means for them to shut it/you down without hurting the other users. And the statistics per user/app are always valuable.
I've used the flickr api - in that situation the key is yours, but the login data might be those of people using your app, so the api key is the only way to differentiate between the apps.
Usually it used to get stats on how much application performing queries to API.
I think asking username/password with API key is ambigious in some cases, but it is a way how it is implemented - so we can't do something with it.
They ask for API key because you could have more than one API under same account - in case you have more than one site which are use same API.
They could use it to signify which version of the API you are trying to use. Perhaps in Version 1.0, there is a method that takes a POST on www.UPS.com/search and there is another one in version 2.0 at the same address, but takes a different parameter set, or even returns data in a different format/style. Your program was built on V1.0 and expects a certain API contract. They want to be able to create V2.0 without interfering with their customer's products.
That's just a guess, but it sounds good to me.
I think Gracenote does a similar thing for cddb. I forget the details, but I remember something about some token.
(They have/had really draconian rules about using their service too.)
Simon reminded me what the gracenote thing was. Gracenote and Fedex and other webservices have lots of developers writing apps for the software. So the developers get a token to put into their apps, but the end users have their own user name and password. It lets the services keep an eye on abusing programs, etc. That is probably te primary reason. (like a browser or a webbot informing the webserver who/what it is)
Originally, Blogger required you to apply for an API key (a la Google Maps) and used it to restrict access to the API. As Blogger evolved into Metaweblog, the requirement for the API became less important, and Blogger no longer requires you to apply for a key. As noted by others, it can still be used for tracking purposes.
In our situation, our clients want it for:
Tracking/analytics - figuring out who's doing what and building what products. Because a number of users are desktop apps, just looking at referrers isn't always enough.
Permissions - which resources should a user have access to? How can a user build apps that have access to specified resources?
Licensing/legal - enforcing that users have read and accepted ToU/licensing information.
Security - passing around usernames/passwords is a really bad idea.
How would you implement a system with the following objectives:
Manage authentication,
authorization for
hundreds of thousands of existing users currently tightly integrated with a 3rd party vendor's application (We want to bust these users out into something we manage and make our apps work against it, plus our 3rd party vendors work against it).
Manage profile information linked to those users
Must be able to be accessed from any number of web applications on just about any platform (Windows, *nix, PHP, ASP/C#, Python/Django, et cetera).
Here some sample implementations:
LDAP/AD Server to manage everything. Use custom schema for all profile data. Everything can authenticate against LDAP/AD and we can store all sorts of ACLs and profile data in a custom schema.
Use LDAP/AD for authentication only, tie LDAP users to a most robust profile/authorization server using some sort of traditional database (MSSQL/PostgreSQL/MySQL) or document based DB (CouchDB, SimpleDB, et cetera). Use LDAP for authorization, then hit the DB for more advanced stuff.
Use a traditional database (Relational or Document) for everything.
Are any of these three the best? Are there other solutions which fit the objectives above and are easier to implement?
** I should add that almost all applications that will be authenticating against the user database will be under our control. The lone few outsiders will be the applications we're removing the current user database from and perhaps 1 or 2 others. Nothing so broad as to need an openID server.
Its also important to know that a lot of these users have had these accounts for 5-8 years and know their logins and passwords, et cetera.
There is a difference between authentication and authorization/profiling so don't force both necessarily into a single tool. Your second solution of using LDAP for authentication and a DB for authorization seems more robust as the LDAP data is controlled by the user and the DB would be controlled by an admin. The latter would likely morph in structure and complexity over time, but authentication is just that authentication. Separation of these functions will prove more manageable.
If you have an existing ActiveDirectory infrastructure, that will be the way to go. This will be particularly advantageous to companies that have already had Windows servers set up for authentication. If this is the case, I'm leaning towards your first bullet point in "sample implementations".
Otherwise it will be a toss-up between AD and opensource LDAP options.
It might be not viable to roll your own authentication schema for single-sign-on (especially considering the high amount of documentation and integration work you might have to do), and obviously do not bundle your authentication server with any of the applications running on your system (since you want it to be able to be independent of the load of such applications).
Goodluck!
Use LDAP/AD for authentication only, tie LDAP users to a most robust profile/authorization server using some sort of traditional database (MSSQL/PostgreSQL/MySQL) or document based DB (CouchDB, SimpleDB, et cetera). Use LDAP for authorization, then hit the DB for more advanced stuff.
We have different sites with around 100k users and they all work with normal databases. If most applications can access the db you can use this solution.
You can always implement your own OpenID server. There is already a Python library for OpenID so it should be fairly easy.
Of course you don't need to accept logins authorized by other servers in your applications. Accept credentials authorized only by your own server.
Edit: I have found an implementation of OpenID server protocol in Django.
Edit2: There is an obvious advantage in implementing OpenID for your users. They will be able to login to StackOverflow with their logins :-)