This is a slight departure from my usual rants, but only because authentication has occupied too much of my damn time this week. Many years ago, we wrote a White Paper on OAuth with the team at OAuth.io who includes the amazing crew behind the APIdays events. It was called "The Standard That Isn’t." We almost called it the 57 Flavors of Authentication, but we thought we might get sued. Still better than 50 Shades of Authenticattion. Our position was that there were LOTS of REALLY ANNOYING problems with OAuth that made handling API authentication painful. You’d have thought that [...]

There is an idiom in English, “you don’t let the foxes guard the hen house.” I’m not sure how well it translates, but the meaning is simple – don't have people or things who can’t necessarily be trusted to do things requiring trust. This was essentially the sub-theme of my first API Rant where I opined that the monitoring industry was becoming quite self-serving. But it’s a topic to explore in more detail because it’s come back and annoyed me again during a conversation with one of the API industries top vendors. Me: (Explaining what we do and why people use [...]

API Rant... For this week's API rant, a little story from history. When I was a kid, back when telephones were a thing in the hallway, my friends would phone up and say, “is David there?” My father, who, as the man who controlled the phone would sometimes reply, “yes.” And put the phone down.As he would explain to anybody who cared, the correct question is, “may I speak to David.”What does this have to do with APIs you may ask? Well, let me tell you.A discussion this week with @kin lane revealed an interesting conversational and business problem lurking [...]

TTFB – This Isn’t The Metric You’re Looking ForTTFB (Time to First Byte) is a metric used by Open Banking UK, and was originally defined by the Open Banking Implementation Entity. The trouble is, it’s also something of an example of Goodhart’s Law which is hugely problematic for monitoring.Essentially Goodhart states: Any observed statistical regularity will tend to collapse once pressure is placed upon it for control purposes. Goodhart's Law - Wikipedia So, harkening back to my previous comments about how self-serving the monitoring industry is, if you define a metric, then you’re defining something somebody can game if you don’t pay [...]

API Rants: Test in Prod or give up.  This is a public service rant.  For the love of Mike/whatever being is responsible for your monitoring, please monitor your APIs in their production environment!  I had a little rant recently about how I thought the monitoring industry had become somewhat self-serving— now I’m going to shift to something that isn’t the fault of the monitoring industry but is a HUGE problem in the Open Finance sector.  Monitoring Production Systems  You release a software service. Own it. Period. We can go home now.  What’s that?   Group risk and security won’t let you monitor a real account?   Then give up, you’ve failed before you’ve even [...]