Jump to content

Best way to build a client api on top of an API


Recommended Posts

I have two questions, I was wondering what would be the best method to go about building client side API functions on top of a already built API eg. http://docs.whmcs.com/API:Functions

We would like to provide our clients access to API functions related to their accounts without giving them access to the whole Admin API where they can see a lot of our other client information.


The other question we have an API built using Basic HTTP Auth for API authenication (HTTPS). eg curl username:password http://api.etc.com) If so what would be the best way to secure this method?




Thank you


Link to comment
Share on other sites

I'm not sure I understand your questions.


If you have an API already, that you already secure using HTTP Auth, then what other security do you need?  


For segmenting API calls, typically you would add a "Role" relation to the user table.   If you already have a lot of users and don't expect any role granularity you can simplify this somewhat by only adding rows & relations for "Admin" users possibly.


A simple



if ($user->isAdmin()) {
  // Existing admin code


Could be added.


A second possibility would be to completely isolate the members api on a separate api subdomain ie. client.yoursite.com.    Although more of a hack, you could add an attribute to the existing user table like "isApiUser".  Then its a small change to your api access code to check for this attribute == 1, and disallow if they don't have it.


Your client.yoursite.com api would allow any user to login, regardless of the "isApiUser" attribute.

Link to comment
Share on other sites

Thank you, I'm starting to get a good idea of where to start.


To clarify, the API above is from a billing software we use (ioncubed) so it was diffcult to edit the API provided.


We wanted to provide our clients an API, while the API above is an Full Admin access API


1. For Example if you look at this particular method,


This command can be used to obtain all the invoices.


2. The API call shows you all of our client invoices (over 1000 clients). I wanted a way for a client "A" to be able to get all of their invoices without showing them invoices from Client "B", "C",etc


3. I wanted Client "A" to be able to use a similar call which in turn would show all of the invoices for the client ID related to that particular client.


I hope I'm making some sense.

Link to comment
Share on other sites

Without looking in any detail at the whmcs api, you should be able to do what you want by wrapping their API calls in your own api, where you in essence proxy the requests for them.  You  would of course still need a user table and possibly some related tables to contain the information that you'd need to proxy along to the whmcs.


You have the options of using a number of different client libraries to make the actual calls.  Guzzle and Httpful are two relatively recent php libraries that have become popular for making REST calls.  Guzzle, for example, was used by Amazon as the underlying core of their AWS PHP API v.2 client library.


You could also use the good old curl extension, although I'd advocate using Guzzle instead, with the curl adapter.


Since you're proxying calls from your server on behalf of your clients, you will need to insure that the proper filtration or parameters are sent by your client calls.


Other than that, it sounds like you will be providing a REST client yourself,  so all the rules of creating a good REST API are important.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.