Start a new topic

Rest api improvement suggestions

Hi OST team


I've already mentioned this for Pranay Valson in the Gitter chat, but figured I might as well post it here.


The rest api as of now is a bit confusing to newcomers it seems. At least in my experience. Furthermore, it seems, from a user perspective, to be overly verbose.


I've created a gist showing how I call the create user endpoint with the current api and then a version where I have optimized the usage from what I gather should be possible -> Gist link


The main things are:

  1. It shouldn't be necessary to provide parameters in both the query string and the post body. It makes the api overly complicated to use imho.
  2. Right now it's not intuitive how much of the request that should be part of the string to sign. I would think that only the api key and the timestamp would need to signed. And again, the signature should only have to be included once.
  3. When you already use the api key and timestamp to sign the request, is it really necessary to include them both as separate parameters?

Just my two cents. Do let me know if any clarification is needed :)

Keep up the good work team!


Kind regards

Mads


1 person likes this idea

Hi Mads, 

Thanks for your suggestions and the gist posted here. We took a look at it and understand that the following should help resolve the confusion.
 

The params of the API calls need to actually be present only in the post body.  One of those params is the signature and this is required to sign all the params including the api_key and timestamp, the reason for this is to ensure that the man-in-the-middle (as @realJayNay also pointed out) cannot change the input params to the request. The api_key and timestamp are also required to sign the request so that we can validate the signature on the server side and just to be sure, the query string you mentioned is used in the algorithm to generate the string to sign, but we don't require you to specify the params again in the query string while POSTing the request.

Hope that was helpful and also thank you for your active involvement on gitter with the C# developer community. 

Kind regards,
Pranay


Hi Pranay


Thanks a lot for clearing that up, makes sense now :)

That said, it's still quite cumbersome to use, but as long as there is a reason for it :)


Regards

Mads

Ah, good to know that the query string is not necessary for POSTs. Thanks for clarifying, Pranay.
Login to post a comment