[levirosol]

Reading the docs, I understand it to be a proxy for your APIs. You setup a service for api.somedomain.com, and then you change that URL in your app to be someprefix.apitools.com.

Being a developer who heavily utilizes internal and external APIs, I like the idea of a tool like this, however, I'm really hesitant to run all calls through a single 3rd party. Especially one this green.

The next question I have is, what about auth? It seems like it could get really messy / insecure using something like this.

Seems like a great project to open source and to run on your own hardware.

[Lambdanaut]

This is the understanding I got as well.

Another concern of mine is that now you're running all calls to an API through yet another service, increasing latency on potentially frequently-called methods.

It's certainly not for all API calls.

[_mikz]

We are planning on-premise version which should work for all API calls - https://news.ycombinator.com/item?id=7517338

[_mikz]

You can write Lua middleware to do the Auth if you want. The traffic monitor website is protected by us, but the actual proxy is not authenticated as it could interfere with API you are using.

[jrochkind1]

Huh, so using this service will turn any authenticated API into an open api, usable by anyone that knows the URL?

That seems... unsuitable for most non-public apis.

[_mikz]

It is a proxy, so if you don't explicitly add keys with a middleware the API will still need the auth.

But you can do key mapping: if you pass your key it will transform it to the real one and if not, then it will just return 403.

[mbesto]

Isn't this effectively what Mashape does?

http://mashape.com/

[njyx]

No - Mashape is a marketplace to signup for APIs. You can call APIs through the mashape but you don't get the middleware control layer or detailed alerts/analytics.