1

I'm building an API. When requesting the data of a user this is shown to be the best practice to retrieve the data:

Requests user data with ID:

https://api.example.com/users/1

However it would be more convenient to requests user data with their email:

https://api.example.com/users/[email protected]

Is it safe to use the second method? Even if I was to use the first method, there is no way that a developer would know the ID for the user which they would like to request, so it would not be useful at all.

So is the second method safe? If not, is there a solution? Thanks.

Pav Sidhu
  • 6,724
  • 18
  • 55
  • 110

2 Answers2

0

Passing email address in URL is not a good idea as it is non-public information. If you really need to go with email address then go with POST call or you can use id which is completely safe if you are using proper authorization at API end.

Zaheer Ahmed
  • 28,160
  • 11
  • 74
  • 110
0

As long as the ID is unique and parsable in the URI. The '@' would need to be encoded into a "%40". Other than that its fine, IMHO. If you have two different types of identifiers, like email and ID then you might want to allow a client to select which identifier to use

https://api.example.com/[email protected]

or

https://api.example.com/users?id=1

Here is some good literature for how to use filters in REST API's.

Jose Martinez
  • 11,452
  • 7
  • 53
  • 68