I Like Being Able To Verify A Developer Is Real Before Giving Them Access to My APIs
30 Nov 2015
As I think about the bad behavior that occurs on the API consumption side of API operations, I'm considering ways that I can help API providers address these problems when they arise within their ecosystems. What can you do when bad actors have access to your APIs? Also more critically for some providers, what can you do to prevent bad actors from on-boarding with your API program at all?
I strongly believe that companies should be as public with their API efforts as possible, but when it comes to which developers you let in, and which ones you don't, I'm finding I'm becoming more conservative in my thoughts--as long as you are transparent about the process. I'm still forming all of my thoughts around this (hence the blog post), and I'm sure is something that will keep evolving as I continue to push forward my awareness of the API space.
When I see a new sign-up for my own APIs, I like to be able to verify who the new consumer is. I like to see a real name, and potentially a company name, but also when I Google the combination, I like to see an active Twitter, LinkedIn, or Github account. It is easy to tell real people, from personas that live n the shadows, and I prefer verifiable people use my APIs.
If you are a public API consumer, I do not think it is unreasonable to ask you to maintain some sort of public presence, to verify who you are, and what you do. I know for many enterprise developers this is insanity, which is why I put LinkedIn profiles in the mix--I do not expect everyone to be super popular on Twitter, and a die-hard Github user. However, in 2015, you really should consider!
As I'm going through my own API on-boarding process, trying to make smoother (it isn't the best right now), I am considering how I will articulate what behavior I expect of my API consumers--in plain English. This post is just part of my iteration, putting my thoughts out to the universe, getting feedback when I can, but ultimately knowing that I am the sole decision maker when it comes to setting the tone in my own API community.
What tone are you setting? Do you verify your API consumers? What is the bar you set for a place at the table?