Advice for Operating a Public-Facing API

I've been operating Pushover's public-facing API for over a decade now and I thought I'd pass on some advice for those creating a new API.

Pushover's API might be unusual in that it is used by a wide range of devices (embedded IoT things, legacy servers, security cameras, etc.) and HTTP libraries, rather than mostly being accessed from JavaScript in the latest web browsers. It also doesn't process sensitive financial information, so the advice given here may not be applicable to something operating like Stripe's API.

Continue reading 1,724 words...