0

I have an API that I want to provide public access to, but I want to be able to limit access.

I've been thinking about Twitter's model:

  • Twitter allows developers to access the data using an api key (I think).
  • Twitter must also access the data from their website to allow you to tweet / search.
  • So Twitter must be able to stop developers from impersonating twitter and basically using their api key.

How do they do it? And is there a better way?

Arithmomaniac
  • 4,604
  • 3
  • 38
  • 58
dan gibson
  • 3,605
  • 3
  • 39
  • 57

1 Answers1

0

Twitter doesn't use their REST API to power their website, they query their database directly. Therefore, there is no API key to steal. You can read about the difference between Twitter's API and Website database queries (circa 2009) here.

The basic techniques Twitter uses to rate-limit their API will probably be the ones you would want to consider, too:

Unauthenticated calls are permitted [fewer] requests per hour. Unauthenticated calls are measured against the public facing IP of the server or device making the request.

OAuth calls are permitted [more] requests per hour and are measured against the oauth_token used in the request.

The mechanisms to implement that depend on your server platform (you should update your original post with that), but you can learn about OAuth (the second technique above) on their website.

Arithmomaniac
  • 4,604
  • 3
  • 38
  • 58