Why authentication and limiting requests?

If I told you that there is a Web API exposed from a particular country's government that you can use to get all the details of its citizens, then the first thing you would ask me is whether you can extract data from the API or not. That is exactly what we will be discussing.

So, if you take the previous example, the data that comes back from that API would have the citizens' sensitive data, such as name, address, phone number, country, and social security number. The government should never allow everyone to access this data. Only authenticated sources are allowed, generally. What that means is when you call one API, you need to send your identity and ask to it to allow you to operate on the data. If the identity is wrong or not in the list of allowed sources, it will be rejected by the API. Imagine terrorists trying to access the API, you would definitely deny access by detecting their identity.

Now imagine another scenario, where a university has an API that sends out results of a particular semester of a certain course. Many other websites would show the results on their site by calling this university API. A hacker comes in and uses a code block to call the API in a loop. If the time interval is too small, then don't be surprised if you get a Server Busy/Server Unreachable message. That is because, with a huge number of requests in a short span of time, the server becomes overloaded and runs out of resources.

That is where imposing limitations on the API not to allow more requests from the same source in a particular time interval comes into the picture. For example, if any consumer accesses our API, we will not allow the request if the consumer has already requested it before in the last 10 seconds or so.

First, let's design the database for our app before exploring other concepts.