Ask HN: How do you manage users on your API business/product?
I am building on an API product (imagine something like Twilio or Mailgun) and I am thinking about how to manage users in the following areas:
- authentication and authorization
- rate limiting
- accepting payments and billing
- other factors that I haven't thought of yet...?
I am wondering if there are existing tools or SaaS for these problems, or if this is something that I should just implement myself.
Thanks in advance for your help and suggestions!
9 comments
[ 5.4 ms ] story [ 32.0 ms ] threadRate limiting is something that's not too difficult to implement and would probably make sense to build yourself. However, it's probably not something worth spending time on until it becomes a necessity (i.e. when you have enough customers that it becomes an issue). Don't waste time on it this early.
For authentication, there are several open and closed source options like Auth0, supertokens, etc. Any of them should work really well depending on how well they integrate with your programming language of choice. Some newer ones like Stytch offer more modern authentication flows (passwordless, magic link, etc). As an API product, you might want to look into a service that helps with generating and managing API keys for API authentication instead.
Depending on the complexity of your product's access control, I would recommend using an authorization-as-a-service product to handle authorization. Warrant (https://warrant.dev/ -- disclaimer: I'm the founder) is an end-to-end authorization service that helps you add authorization at any layer of your stack (API, UI, etc.) without much code and provides a dashboard for managing your access model/access rules.
Aside from these problems, I would recommend spending some time thinking about how you'll manage API versioning and infrastructure/deployments. These are really important for giving your customers a seamless experience as API consumers.
I hope this helps!
I just checked out Warrant and your docs are very clean :)
One limiting factor for my adoption of Warrant would be that my application would need to perform auth on each request from each user, which in total may be on the scale of thousands of requests per second for my application. When I looked at the pricing section, Warrant's Standard Plan costs $1 per 1,000 API requests / mo. This would be too expensive for my use case, but perhaps I am not the target customer...? sweat smile Regardless, I wish you the best of luck with Warrant!
I agree with what you said about rate limiting. Given that Warrant is also an API product, has rate limiting been something you have found to be a necessity already? What factors or indicators would push you to add rate limiting?
Thank you! We put a lot of effort into maintaining quality documentation, so I appreciate the compliment!
Our pricing is intended to scale with an application. $1 per 1,000 API requests / mo is expensive for an application with thousands of requests per second, but I would imagine an application with that kind of traffic would fall into our enterprise tier which provides volume discounts. We also have a nice free tier for testing out the product in some capacity at any stage and offer better deals for early stage startups.
Regarding rate limiting. It hasn't really been an issue for us yet. As an API product, the only users I would rate limit would be free tier customers who are generating tons of requests and degrading performance for paying customers (hasn't happened yet). For paying customers, I would probably want to scale our infrastructure to support the amount of traffic they're bringing in since they're paying.
I am the founder and am happy to answer any questions regarding user auth and app authorization