-3

I am trying to make a custom API which uploads random numbers generated to my website page (to learn how API works). And whenever I want to see the page, I use my API key to do so. Can you help me in this? I am new to API stuff.

Lajos Arpad
  • 64,414
  • 37
  • 100
  • 175
Bharat
  • 29
  • 1
  • 1
  • 7

1 Answers1

2

When creating APIs, there are lots of decisions to make. You could render your structure on the client-side and query your application server via RESTful API calls. Or you could have a server-side rendering approach and use your API internally. There are four main types of APIs:

  • Partner
  • Internal
  • Composite
  • REST

https://www.techtarget.com/searchapparchitecture/tip/What-are-the-types-of-APIs-and-their-differences

In your scenario it seems that you need to either choose an internal API approach or a RESTful approach.

Your random number function itself would be similar in both cases (a simple function written in the language of your choice).

However, the token usage largely depends on the type of your API.

You need to decide whether you are going to have usernames and passwords and is the purpose of your token only to avoid frequently logging in with very sensitive data, such as username and password, so, you use a token instead, which, if falls into the wrong hands, then they could not steal the identity of your users for good, as they are still not reaching these credentials. If so, then you will need to generate the token periodically. A way to do so is to generate it every week/month (whatever) and somehow send it out to your users. Or it could be generated whenever the user has to log in, sent to the user, who will be able to use that token from there on.

Or, you could separate the token from the login and provide a UI for the user where he/she can generate tokens while being logged in. There are quite many ways to approach this.

Otherwise, if there is no username and password and, there is a token and secret to identify the user, then you will need an alternative to the login. It could be a simple request for token generation. Or it could be a repeatedly generated and sent token.

In any measures, when you intend to run an API function as a user, then you will need to send the information that identifies your user. On most webpages this is handled by getting a session ID (that acts as a token) upon login and then, while the session exists, that session ID is always sent to the webpage, whatever request is being sent, this is how the website knows that you are logged in. Most webservers and programming languages that handle web requests also handle token generation and usage and browsers are in line with these through the cookies, which are small files that contain information for the website.

If you are having a custom environment or you prefer a custom token management, then of course you can implement your own.

But, if you want to achieve simplicity, then you could implement a register and a login feature for your API as well as the number randomizer, so these are 3 API functions for now, call the register when a user registers, store a 1-way-encrypted password, do a validation (like email sending with a token to the user) and implement token-based user validation, which is a fourth API function. So, the user:

  • registers
  • receives an email with a token
  • clicks on a link that has that token as a request parameter
  • once that page opens, store the user as an authenticated user and remove the registration token

This will enable logging in for your user. Once your user is logged in, a session ID should be generated (in PHP you need to look into the functions whose name start with session_, for example) and then using that session ID your API should make sure that the randomizer can be called and your UI should be designed in such a way that this feature could be found by users.

If I may, I advise you to avoid getting into your own token generation while you are learning, choose the simplest ways and once the simplistic configuration you have chosen is working reliably, then you may choose to write your own token logic if you prefer that for some reason.

Lajos Arpad
  • 64,414
  • 37
  • 100
  • 175
  • The last paragraph in particular is wise advice. Get the simplest thing working then gradually build on that. Great advice not just for someone new to implementing APIs, just great advice however long you've been doing this for. – Chris Jul 10 '22 at 13:19
  • Hey Lajos, thanks for sharing info on API. Actually i was looking for some example source code or something like that. I am thinking it will work like this. A python program is generating random numbers. Those numbers will be uploaded to my webpage in a JSON format (i think) using my API key. Otherwise it print Not Authorized. Can you help me with this? – Bharat Jul 10 '22 at 13:31
  • I have the python program and my API key. I just don't know what is the next step. – Bharat Jul 10 '22 at 13:33
  • @Bharat since I am not a Python programmer, I can only help you with ideas. We know that you have a token and you have the functionality. However, it is highly unlikely that you want a single token to be shared accross all users. It is much more probable that each user would have his/her own token, in which case, having a single token value will not help you. In that case you need to have a mechanism to generate and manage tokens and authentication. – Lajos Arpad Jul 10 '22 at 13:50
  • @Bharat however, if your scenario is simpler and you have a single token and you intend that token to be used by everyone involved, then let me first state that this is a highly unsecure approach, as the greater the number of people rely on a secret information, the more likely it is that one of those people prove to be a weak link for some reason (betrays the purpose of the API, or someone hacks them) and the greater the damage is if such a weak link is found. But: if you want a single token to be shared by everyone and you absolutely need that, then you will need to store that token somehow – Lajos Arpad Jul 10 '22 at 13:53
  • @Bharat if you want all your users to use the same token, then that token can become an app configuration and your Python (or whatever) program would load that config and compare its value to the token sent by the user. Now, you expect that token to arrive to your API when the user requests it, either via a session cookie or some request parameters. If it's a request parameter, then DON'T USE IT AS A GET PARAMETER, because that's visible in the user's browsing history and is not encrypted by the browser. If a token is a GET parameter, then it MUST be invalidated immediately afterwards. – Lajos Arpad Jul 10 '22 at 13:56
  • @Bharat and let me remind you again: it is highly advisable to use a separate token for each user and maintain/manage the tokens, so, if a user is hacked, then other users would not be affected by the consequences. According to this page: https://stackoverflow.com/questions/41354205/how-to-generate-a-unique-auth-token-in-python this is how you can generate an auth token in Python: `rand_token = uuid4()` – Lajos Arpad Jul 10 '22 at 13:58
  • @Bharat finally, the number generator that you need to use might be the token generator. But I cannot know that for sure, as I do not know your exact requirements. – Lajos Arpad Jul 10 '22 at 13:59
  • @LajosArpad thanks for all that info.. I got it now and I'll surely follow your recommendation. – Bharat Jul 10 '22 at 17:33