New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API Acceptable Use Policy #593

Open
philosophicles opened this Issue Feb 2, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@philosophicles
Copy link
Member

philosophicles commented Feb 2, 2019

Discussed briefly among site admins. Relates to #552 and #416.

We should possibly have some kind of policy or guidelines that API users have to agree to abide by, before they're able to get access tokens.

How much this policy would be able to cover would depend on which parts of our API can be used anonymously.

If/when written, this may need referencing from the User Policy (#556) or Privacy Policy, so readers of those policies (whose data might be contained in API responses) know more about how API data users are "regulated".

@CHTJonas

This comment has been minimized.

Copy link
Member

CHTJonas commented Feb 2, 2019

Picking up from the PR linked above, I think it was generally agreed that unauthenticated API requests should be blocked to endpoints that concern 'people', but left open for shows, venues, societies and the diary. I think that is a pretty good compromise between users concerned about their data privacy and maintaining access for existing applications (eg. G&S website which uses client-side AJAX IIRC).

A few hasty thoughts on the API AUP:

  • Broadly convey the notion that you should 'do no evil' with any data you obtain from Camdram.
  • Users should only use the API for machine-based requests and not simply scrape HTML/CSS/JS.
  • Developers should make every effort to register their application using API keys unless this is impractical (maybe link to the sample demo OAuth apps).
  • API client applications must not expose their keys or tokens (so client side anonymous AJAX is fine, but in-browser client side OAuth stuff obviously isn't...)
  • API signups don't require approval and there are no limits on the number of apps that can be registered, but webteam reserve the right to review & block apps as necessary. Any decisions are final etc.
  • API clients cannot create new API keys for other apps (eg. proliferation to get around around request limits/abuse tracking).
  • Applications which cache Camdram data should make reasonable efforts to expire or revalidate such data at regular intervals.
@CHTJonas

This comment has been minimized.

Copy link
Member

CHTJonas commented Feb 13, 2019

Possibly helpful real-world example: https://github.com/reddit-archive/reddit/wiki/API#rules

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment