I have an algorithm that receives input and delivers output which I would like developers to use like an API. To prevent denial of service attack and excessive overuse, I want some rate limits or protection. What options do I have? Do I provide accounts and API keys? How would that generally work? And what other ideas are possible for this scenario?
Accounts and API keys does sound like a good idea, if nothing else it stops people other than your intended developers being able to access your API.
It should be fairly straightforward to have a simple database table logging the last time a particular API was accessed, and denying re-use if it is accessed too many times in a certain time frame. If possible, return the next time the API will be available for re-use in the output, so developers can throttle accordingly, instead of having to go for a trial and error approach.
Are you expecting the same inputs to be used over and over again or will it be completely random? What about caching the output and only serving the cache to the developer(s) until the API is ready for re-use? This approach is far less dependent on accounts and keys too.
API keys can definitely be a good way to go, there is also openAuth (http://oauth.net) if you scenarios where end users will be accessing the service via apps built by third parties.
If you don't want to code the rate limits / key management yourself, it's worth taking a look at http://www.3scale.net/ which does a lot of this free out of the box as a service (plus other stuff including a developer portal, billing and so on). As a disclaimer, I work there so I might have some bias but we try to make exactly this as simple as possible!
I should add, there's a PHP plugin for 3scale which you can drop into your code and that'll enable all the rate limits etc.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With