My advice for running a public-facing API, coming from 11 years of operating the Pushover (@pushover) API:

- Host the API on its own hostname
- Don't be too liberal in what you accept
- Avoid OAuth if you can
- Log a unique id with every request
- Be descriptive in your error responses
- Use prefixed tokens
- Stay on top of failures

https://jcs.org/2023/07/12/api