Public API endpoints
So even before login, these endpoints were private. What if we have some API endpoints that are public, such as a weather forecast giving forecast data to everyone. It is better to still have an API key to track who is getting data to the server, but what if this is not the case and we are just giving data without any API keys? Does that mean that we are giving that data publicly, so we don't need to worry about anything? Actually, no.
If a client is passing any information to the server, then it is better to have TLS that should be used to encrypt data. Other than that, we also can't allow anyone to keep hitting an endpoint; to make usage fair, we need to apply throttling, which means an API endpoint can be hit only ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access