Open Your API
I know that your site has a private API. There are a lot of endpoints that aren’t officially documented, but they are available if you know the right stuff. It’s not hard to find out how your site works; I just need to make a request and watch my Network tab. You thought you were clever by using cURL and a made up request ID.
I’m not writing this just because I want everything to have an API (I do, but that’s another article). I am writing this, because the company I work for has a client that was told that they could manage all of the data on a webapp via the API. I had to go back and forth with support about what the API could do until they finally called me to tell me there were only two things the API was good for. I’m a bit stubborn, so I decided to poke at the site a little bit harder than a “normal” person would poke. After this poking, which became stabbing and swearing, I found that they use curl to make AJAX requests. Now I’m left in a bit of a pickle. The information that I was given, and then relayed to my client, was that there wasn’t a lot that we could do with the API. Moving forward, I can either stick with the public API that is rather limiting or I can use the same cURL requests that the company uses for their AJAX requests. If anything goes wrong with the clients data, I will get blamed, because I am using an undocumented, unsupported, API.
You might not think that it is relevant to have an open API, but I have a client that wants to integrate your product with another product. You have a few choices here: keep telling us that you aren’t going to open your API, open your API to the public, or build integrations with other products. I know that you are busy so your gut-instinct is going to be to tell me to shove it. If you open up your API or build that third party integration, your customers will be a lot happier and I will be able to tell them the sky is the limit with your product.
Now that we have it out in the open that you have an API and you don’t want me using it, let’s get something clear. If you had an open, documented, API, I could build something on top of your backend that is pretty awesome. The fact that you don’t have an open API tells me that you don’t trust me, or worse, yourself. I understand that you have security concerns, but it would be great if you can iron those out and document everything your API can do.