Software development for the cloud often involves coding against Platform as a Service (PaaS) services provided in the cloud. These PaaS services often are provided in tandem with Software as a Service (SaaS) websites, with Salesforce’s Force.com being a well-known example. But how can you leverage these PaaS services without becoming tripped up by security and service management?
The idea of using Web-based APIs is not a new one. In the past, we would have thought of it as screen-scraping a website. This was the enabling technology behind early sites for comparing airline prices from multiple airline sites, or combining search results from multiple search engines.
The problem with screen-scraping is that website owners didn’t necessarily want their sites turning into an API. They didn’t want their data to be harvested, so they tried to stop it. However, early measures, such as limiting access by client IP address, were easily defeated by tools.
Another issue is that screen-scraping is brittle; a small change in the site’s look or feel could break the data access methods. That’s where the concept of the managed Web API was born.
Web APIs would allow developers to write code to access a website programmatically, using HTTP GETs and parameters within query strings, but in a managed manner that benefits both the client and the service provider. For the client, a standard interface enables applications to be written to a well-defined interface, safe in the knowledge that the API will not change unpredictably. For the provider, management of the API through rate limiting puts a virtual “circuit breaker” on the API usage, preventing overuse by a single client.
Web APIs are PaaS services that allow a developer to use the Web as a platform, creating an application from pieces of functionality sourced from the cloud. Service providers can monetize their services by putting a usage and pricing model into place.
The convention for managing Web APIs is to use an API key. Developers are given an API key (or in the case of Amazon, two keys), which are used for the identification and authentication of requests sent to the Web API. Sites providing APIs also provide snippets of code in various languages (such as PHP, Java or C#) that let developers use the keys.
This code handles the creation of a keyed-Hash Message Authentication Code (HMAC), which accompanies the request to the Web API. The HMAC serves two purposes: ensuring the integrity of the request to the Web API (ensuring the request has not been tampered with), and ensuring the authentication of the client sending the request. Authentication, therefore, is based on proof of possession of the API key.