Multiple API Authentication Types

Web Services APIs can employ many different types of authentication mechanisms. Authentication is necessary to be able to control access, throttle throughput versus other users in multi-tenant scenarios, track usage, provide for billing, enable analytics and more. It is rare to find an API out on the Web that doesn't have some kind of authentication or control mechanism, even if it is not immediately apparent (ip address throttling for example).

These different authentication approaches can create a challenge and a great deal of additional complexity for developers building applications that use these APIs, as each API coming from different organizations typically has its own set of authentication mechanisms to manage, maintain, and code to. Examples include UserID and password combinations, multiple variations of license keys such as single keys, multiple keys, private and public keys, key pairs, and authentication tokens, and also IP address throttling.  There are also several implementations of WS* security types, including several stateful and federated approaches which are often overkill for many scenarios and simply get in the way when simpler approaches would suffice. Managing these different authentication types can create quite a headache when several APIs are being developed on top of.

And to make things worse, a given mechanism can come in a variety of flavors. In some cases, authentication information can be included as parameters, as part of SOAP header information, or in non-standard ways such as utilizing HTTP authentication. So the number of approach permutations is quite large.

Whichever one of these authentication mechanisms is in use within a single organization is likely fine as long as it is consistently applied across all Web services and APIs published. For example, if an entire company chooses an authentication token mechanism for all services registered for internal use, then the organizational business units can adapt and ultimately things will work out successfully. However, there is usually not enforcement of this consistency across multiple enterprises and of course each organization is likely to use mechanisms unique to them, therefore potentially creating an infinite number of authentication methods that application builders have to contend with. This is a significant barrier to adoption of external Web services APIs. This is primarily why UDDI has worked within organizations, but has failed universally on the Web where a proverbial “wild west” of authentication mechanisms exist, each of which must be dealt with before the services can be put to use.

At StrikeIron, to help organizations remain consistent with their internal approaches, we have provided some alternatives. We provide UserID and Password capabilities which work across all of our services. These can be passed as either parameters to the service, or within SOAP headers (we have different WSDLs for each case), and of course within a REST call. Alternatively, you can use a single key string that is unique to a given service rather than universally applied like the UserID and Password combination (the approaches are interchangeable). If necessary, we can even provide universal keys if that approach is preferred.

With our free lite Web services, we have taken the approach of not requiring authentication information to be passed with each invocation of the service (too unwieldy for people building demos with these free services for other people to use). So in this case we have gone with IP address authentication to ensure resources are not hogged.

I do this think this variability of authentication to APIs that exist across the Web is a considerable barrier to SAAS and cloud integration and some standards ought to be developed and rallied around to eliminate a lot of the complexity that exists today around API authentication. Otherwise, the "great API in the sky" with its thousands of methods at developers' disposal to innovate with will be slow to come to pass.

Using SMS and IVR Notification Web Services with REST

As an alternative to using SOAP APIs, you can send either SMS messages to a mobile device or a text-to-speech message to any phone (land line, mobile, or VOIP) using the REST (short for "Representational State Transfer") protocol. REST is typically used in scripting languages, especially for Web sites and Web applications.

REST calls are easy to try out. To execute one, you can simply enter the below string into the address bar of any browser (tested with Firefox and IE).

In this particular example, all parameters required to call the operation are passed in via the query string in the link below.  You will need to replace each of these tokens (noted by square [] brackets) with the appropriate parameter value. You will also need to ensure that the values have all URL reserve characters correctly escaped. If you don't already have one, you can get a UserID and Password from StrikeIron by simply registering, and you will be provisioned with some free messages.

Also, here is a guide to calling StrikeIron services using REST: http://www.strikeiron.com/doc/How_to_call_a_StrikeIron_Web_Service_Using_REST.pdf

IVR Text-to-speech example (yes, lots of parameters):

http://ws.strikeiron.com/StrikeIron/JadukaNotification/JadukaNotificationService/RequestTextToSpeech?LicenseInfo.RegisteredUser.UserID=[UserID]&LicenseInfo.RegisteredUser.Password=[Password]&RequestTextToSpeech.NumberToCall=[string]&RequestTextToSpeech.CallerID=[string]&RequestTextToSpeech.TextData=[string]&RequestTextToSpeech.Actor=[PAUL/KATE]&RequestTextToSpeech.Text Format=[NORMAL/SSML/HTML/EMAIL]&RequestTextToSpeech.TextType=[TEXT/URI]&RequestTextToSpeech.VoiceVolume=[0-500]&RequestTextToSpeech.VoicePitch=[0-200]&RequestTextToSpeech.VoiceSpeed=[0-400]&RequestTextToSpeech.ThankYouURI=[string]&RequestTextToSpeech.InitialPause=[int]&RequestTextToSpeech.RepeatPause=[int]

SMS Text Messaging example:

http://ws.strikeiron.com/StrikeIron/SMSAlerts4/GlobalSMSPro/SendMessage?LicenseInfo.RegisteredUser.UserID=[UserID]&LicenseInfo.RegisteredUser.Password=[Password]&SendMessage.ToNumber=[ToNumber]&SendMessage.FromName=[FromName]&SendMessage.MessageText=[Message]

Try it out and let us know at StrikeIron if you have any difficulty!

IVR Voice Notification Webinar Scheduled for August 19th, 2009

Tomorrow I will be hosting a Webinar demonstrating the end result of our technology partnership with Jaduka. Jack Rynes, the COO of Jaduka, will join me. We will be showing how to utilize the outbound voice notification Web service that is now available on our site, enabling text to be converted into computerized voice and delivered to anything with a phone number, including land lines, mobile devices and VOIP services such as Skype and Vonage.

The Webinar is scheduled for 30 minutes, most of which will spent doing some quick demos on how to make use of the technology. You will see how to apply this technology to I.T. monitoring, e-commerce and customer service scenarios, emergency notifications, voice reminders, as part of workflow and business processes, and more.

Here is where you can sign up: https://www2.gotomeeting.com/register/472784202

If you provide one of your phone numbers as part of the registration, we will send you a voice notification prior to the Webinar reminding you of the starting time (it's really part of the show).

Here is the URL of the actual notification Web service, including the WSDL, if you would like some more information on it: http://www.strikeiron.com/ProductDetail.aspx?p=483

Here is a Web form that enables you to interactively send text-to-voice messages so you can try it out yourself: http://www.strikeiron.com/apps/runapp.aspx?appid=116

Also, here is a desktop Windows client built on the API that you can download to interactively send messages (like a dashboard), as well as sending voice notifications to a text file of phone numbers (batch): http://downloads.strikeiron.com/ivr.zip

Hope you can join us!

Harvesting IP Addresses of Web Traffic + StrikeIron API

A trick we use ourselves at StrikeIron is to get a handle on where Website and Web service invocation traffic is coming from geographically. These types of analytics help us better understand our business.

We do this using an IP Address Lookup Web Service API that we also make available to our customers. This particular Web service takes an IP address as a parameter, and among other things returns the latitude and longitude coordinates of that IP address, as well as city, state, and country. Even an actual map image is returned as part of the output. Anybody of course can do this with their own Website and Web traffic.

For example, you can show a map  indicating the current geographic distribution of visitors on your Web site at any given time or time interval. This allows a visualization of Web traffic after these coordinates are plotted. In this case the size of the dot represents how many visitors are from that particular city:

This could be especially useful after certain geographically-targeted marketing campaigns are run, or to track geographic applicability to certain pages on your site versus others. Of course, this would allow for localized messaging to site visitors as well. For example, a site aimed at sports fan may be well-served to display lead articles about local teams (or humor about rivals).

Happy plotting!

StrikeIron Private Web Services Cloud

Private Web services deployed "out in the cloud" can be beneficial to organizations who have internal data, data collected from external sources, business processes, APIs, or other IT assets they would like to make available to a controlled audience in a measured way utilizing sophisticated, proven technology via the Web.

Organizations typically do this because they want to enable connections to other applications, Web sites, business processes, partners, customers, and employees to their own systems and data to achieve efficiency and enable a broad array of Web-transacted business. In addition, they would like to provide a foundation to those who would innovate on top of these Web services and data sources, furthering leadership positions and enabling Internet-based business development to occur.

Of course, these kinds of capabilities can all be built from scratch internally. However, that can take months and years and many iterations through a learning curve to bring it live and make it useful. Fortunately there are options available to leverage existing solutions and bring a set of Web service APIs available in a very short period of time (days or weeks).

Organizations tend to look to outside solutions to significantly lower costs, get to market quickly, have comprehensive capabilities, minimize ongoing maintenance and leverage existing domain expertise. This buy versus build approach also allows for a phased strategy, where a few Web services can be created and deployed, and then expanded in scope as they succeed against custom metrics in pay-as-you-go models.

Take a look at the below architecture and see what "Private Web Services" out in the cloud can look like via StrikeIron. Also, in the case of utilizing the StrikeIron Private Web Services Cloud (a.k.a IronCloud), potential API and Web services publishers can get a feel for what their own Web services will look like and how they will behave by trying and integrating the 50+ public APIs that already exist on the public platform available at www.strikeiron.com, as well as pre-built third-party application integrations, such as with Microsoft Excel and Salesforce.com.