Getting Started With Public APIs

Eryn O’Neil • @eryno

Today’s Agenda● Evaluating an API● Authentication● Testing (“Hello, API!”)● Now What?

Today’s (and Forever’s) Ground Rules:● If you don’t understand: Ask.● No, really. Ask! No dumb questions.● If you get too into the weeds, I might cut you off.

But err on the side of asking.

Most important ground rule:

Don’t be afraid to start slow and enjoy yourself.

So you don’t know how OAuth works. So what? You don’t need to yet.

You aren’t less of a programmer if you abstract away the complicated parts or don’t know what “endpoint” means. (It’s just a fancy word for “URL”, anyway).

We all start somewhere.

Evaluating an APIOr: Um, which one should I pick?

Where should I start?

Prioritize ease of use over popularity.

Reasonable Approaches● Flickr● Last.fm● Twilio● Lots and lots of other sites

There Be Dragons● Twitter● Facebook

Evaluating an API: Documentation

Evaluating an API: Documentation

AuthenticationOr: “I promise I’m me” isn’t good enough for you?

AuthenticationAuthentication can be hard to

implement well. Fortunately, you aren’t implementing it.

Common methods:

● No authentication● HTTP Basic Authentication● HMAC● OAuth / OAuth2

Authentication: None!Not very common, because it’s harder to limit abuse.

But if you find one, they make a great place to learn your tools.

Keep APIs available with one weird trick: Don’t be a jerk.

Example: http://jsonplaceholder.typicode.com/

Authentication: HTTP Basic AuthenticationHTTP Basic Auth is as old as the internet and baked into every web browser. It’s not the most secure method, but it is very convenient.

How it works:

1. Get a username and password2. Base64 encode the string “username:password”3. Pass the base64-encoded string as an HTTP header named Authorization.

4. Done.

Authentication: HTTP Basic AuthenticationPractically speaking…

1. Use PHP:

2. Send it in the URL:

http://username:password@www.example.com/

3. Use Postman.

“Um, what’s Postman?”I’m so glad you asked.

https://www.getpostman.com/

Authentication: HMAC & OAuthHMAC = [keyed-]Hash Message Authentication Code

A pre-agreed upon way of hashing several pieces of data-- usually a username, a secret key or password, the request being made (URL), and something that changes every request (like a timestamp).

OAuth isn’t an acronym, but it basically means “Open Authentication”

An implementation of HMAC, plus a standard script for HTTP calls that allows a client (ex: you) to authenticate against a server (ex: Twitter) asynchronously.

Authentication: HMAC & OAuthThey’re both great, but they’re a little complicated to describe in this talk.

One day you may write an OAuth server or client. That will be a great time to learn more about it.

Until then: Use the magic OAuth button in Postman.

Okay, I got my instant gratification. I need more than Postman. Now what?

Write something!Slim: http://www.slimframework.com/

PossibilitiesDownload listening data from Last.fm and find out how many people are both Metallica fans and One Direction fans.

Write a script that auto-rejects LinkedIn requests for every recruiter that emails you with a job that has nothing to do with your skills.

Automatically pull every cat photo from Flickr and change your desktop every 15 minutes. (You won’t get through every cat photo, but if you try to do it in real time you’ll probably freeze your machine.)

I hate those ideas.Where can I find more?

http://www.programmableweb.com/apis/directory

So, what are you going to build?(Thanks!)