1

I'm building an API. When requesting the data of a user this is shown to be the best practice to retrieve the data:

Requests user data with ID:

https://api.example.com/users/1

However it would be more convenient to requests user data with their email:

https://api.example.com/users/johnsmith@outlook.com

Is it safe to use the second method? Even if I was to use the first method, there is no way that a developer would know the ID for the user which they would like to request, so it would not be useful at all.

So is the second method safe? If not, is there a solution? Thanks.

Pav Sidhu
  • 6,724
  • 18
  • 55
  • 110
  • What do you mean by "safe"? Filtering a response based on an ID value is no different than a value dependent on that ID. Do you not want `john@outlook.com` to be able to see `jane@outlook.com`'s data? – Jeremy Fortune Feb 27 '16 at 18:24
  • It is possible to have authentication with RESTful too: http://stackoverflow.com/questions/319530/restful-authentication – Baronz Feb 27 '16 at 18:26
  • @jeremytwfortune By safe I mean, is the email in the URL bad practice and will an email with special characters break the URL? Developers can't filter by URL as there is currently no way for them to know a user's ID. I want `john@outlook.com` to be able to see `jane@outlook.com`'s data. – Pav Sidhu Feb 27 '16 at 18:28

2 Answers2

0

Passing email address in URL is not a good idea as it is non-public information. If you really need to go with email address then go with POST call or you can use id which is completely safe if you are using proper authorization at API end.

Zaheer Ahmed
  • 28,160
  • 11
  • 74
  • 110
0

As long as the ID is unique and parsable in the URI. The '@' would need to be encoded into a "%40". Other than that its fine, IMHO. If you have two different types of identifiers, like email and ID then you might want to allow a client to select which identifier to use

https://api.example.com/users?email=johnsmith@outlook.com

or

https://api.example.com/users?id=1

Here is some good literature for how to use filters in REST API's.

Jose Martinez
  • 11,452
  • 7
  • 53
  • 68
  • Thanks. If I use an email identifier, are you recommending to have the URL as `https://api.example.com/users?email=johnsmith@outlook.com` rather than https://api.example.com/users/johnsmith@outlook.com – Pav Sidhu Feb 27 '16 at 18:32
  • Up to you, no wrong answers here. One thing to consider is that using the filters (email=, id=, etc.) allows you to expand your API in the future without it being cumbersome. – Jose Martinez Feb 27 '16 at 18:36