The Software Engineer’s Guide to Public APIs

The Software Engineer’s Guide to Public APIs Scott McAllister @stmcallister

Why APIs? Because every business is a Digital Business and they communicate via APIs Make payments Shop online Get around Be entertained Do work Order food Buy anything Stay healthy @stmcallister Be connected

What is an API? @stmcallister

API Standards HTTP POST GET PUT DELETE @stmcallister Create data Read data Update data Delete data

HTTP Messages HTTP Message Method The action being taken. POST, GET, PUT, DELETE Header Information about the data in the message Body @stmcallister Data being sent

Authorization Header Contains the API token which is required to authenticate and authorize each request with API @stmcallister

Authentication OAuth Token created automatically for each user of client app @stmcallister

A long time ago in a galaxy far, far away…. @stmcallister

Your App @stmcallister Google Calendar

Google Calendar Your App Google Username and Password Calendar Data @stmcallister

Google Calendar Your App Password Anti-Pattern Google Username and Password Calendar Data @stmcallister

No easy way to revoke access from the client App @stmcallister

Once they’re in they’re hard to stop @stmcallister

Access: All or Nothing @stmcallister

User can’t remove credentials from third-party apps @stmcallister

OAuth @stmcallister

OAuth ❏ Open standard for authorizing secure access on HTTP service ❏ Uses tokens rather than password data to prove identity ❏ Provides “secure delegated access” to client applications ❏ Limits user’s scope of access @stmcallister

OAuth with Client Secret @stmcallister

Keep it Secret. Keep it safe. @stmcallister

PagerDuty Client App Request authorization with Client ID and Redirect URI @stmcallister

PagerDuty Client App Request authorization with Client ID and Redirect URI @stmcallister User Allows or Denies Access

PagerDuty Client App Request authorization with Client ID and Redirect URI Auth code returned @stmcallister User Allows or Denies Access

PagerDuty Client App Request authorization with Client ID and Redirect URI Auth code returned Request Access Token with Auth Code, Client ID and Client Secret @stmcallister User Allows or Denies Access

PagerDuty Client App Request authorization with Client ID and Redirect URI Auth code returned Request Access Token with Auth Code, Client ID and Client Secret Access Token Returned @stmcallister User Allows or Denies Access

OAuth with Proof Key for Code Exchange (PKCE) @stmcallister

PKCE Terms ❏ Code_verifier ❏ Random 128byte, base64 urlEncoded value ❏ Code_challenge ❏ Hashed, base64 urlEncoded (no padding) value of Code_verifier ❏ Challenge_method ❏ Method of hash used @stmcallister

Client App @stmcallister PagerDuty

Client App Generate & Save code verifier Create code challenge @stmcallister PagerDuty

PagerDuty Client App Generate & Save code verifier Create code challenge @stmcallister Request authorization with Client ID, Code Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access

PagerDuty Client App Generate & Save code verifier Request authorization with Client ID, Code Challenge, Code Challenge Method, and Redirect URI Create code challenge Auth code returned @stmcallister User Allows or Denies Access

PagerDuty Client App Generate & Save code verifier Request authorization with Client ID, Code Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Create code challenge Auth code returned Request Access Token with Auth Code, Client ID and Code Verifier @stmcallister Validates Code & Code Verifier

PagerDuty Client App Generate & Save code verifier Request authorization with Client ID, Code Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Create code challenge Auth code returned Request Access Token with Auth Code, Client ID and Code Verifier Access Token Returned @stmcallister Validates Code & Code Verifier

Automation @stmcallister

How to get updates? Polling vs Webhooks @stmcallister

Polling @stmcallister Are you done yet?

Webhooks May I have your attention, please! @stmcallister

PagerDuty Client App Webhook Message (HTTP POST) @stmcallister Event happens!!!

Webhook Payloads Thin vs..Not so thin? @stmcallister

Thin Payload @stmcallister

“Heavy” Payload @stmcallister

Rate Limiting: Call Limit vs Rate Limit @stmcallister Call Limit Rate Limit number of times API invoked in a certain time period usually as business choice imposed for reasons of fairness so one customer doesn’t overwhelm infrastructure and affect other customers Proprietary & Confidential

Rate Limiting: Rate Limit Response The response to the API call will say @stmcallister Proprietary & Confidential

Developer Experience @stmcallister