API security and development priority changes (CSM)

From sdeevelopedia
Jump to: navigation, search

All this data is potentially out of date, and should be taken with a truckload of salt


  • Title: API security and development priority changes
  • Raised by: mazzilliu
  • Submission Date: 25 July 2010
  • Issue ID: ???


So far, the EVE Online API has seen very few additions since that time. We've still got titles-only for EVE mails, nothing for PI, huge numbers of bugs and quirks in the way the API functions, and recently we've seen even more comments from devs that strange behavior is becoming more common; skillpoint oddities and the like.

Since the release of EVE Gate, we've had no support from the devs about the API or accessing any features of EVE Gate programmatically. We've had threats of bans for crawling/scraping, though the EULA and TOS have not been updated to reflect this. And we've had no response to any queries we've openly put to the devs on the matter of new API features (for example, full EVE mail access - we only get titles in the API) and fixing old bugs. We've had one or two fixes in the last few expansions- that's all.

I feel that CCP has taken the wrong approach with EVE Gate and would like them to reconsider the approach they are taking, and potentially shift it. Social networks like Facebook thrive on integration and applications. EVE Gate offers no facility for either of these, instead limiting people to only doing what CCP provides, and only on CCP's website in the way that CCP wants them to do. This removes a vast amount of potential from the site. Standards like OpenSocial permit for high levels of integration without exposing personal data beyond that agreed with the application on install; this is covered further towards the end of this post.

My proposal is essentially to ask CCP to place an emphasis on making new APIs, on bringing support for third party applications and open integration into EVE Gate through existing open standards, and to place a new priority on maintaining and improving the API to maintain openness of data- anything that is available through EVE Gate should be available through APIs with the same level of permissions.

Permissions is my other point. Because CCP has not made APIs available a large amount of applications which require a user's EVE login to function have started cropping up. This is going backwards- before the API we had this situation, where you had to give your EVE login to third party apps for them to function. Clearly from a security standpoint this is extremely worrying. The solution is easy - ensure API equivalents are exposed for all EVE Gate features.

In addition to this problem, with the large number of API functions already available and the large number of additional functions that would be made available should CCP actually replicate EVE Gate features into the API, a two or even three key system for API permissions is simply not enough to provide sufficient granularity. Open standards for application authentication and permissions should be adopted as a matter of urgency. This would enable users to grant applications only the permissions that application needs to function, and nothing else, and would let users see exactly what an application will have access to prior to granting it access. Such protocols include OAuth, used heavily by Twitter and Facebook.

The changes proposed above would not require a large increase in development time, but would require nontrivial redistribution of time that would otherwise be spent on new features, but I am confident the playerbase would in general welcome changes proposed above.

If nothing else, CCP would gain a multitude of useful apps and tools which would increase use of their own platform, rather than drive people from it, increasing return on investment for invested developer time and cost by improving the user experience.

Potential Solution[edit]

Do more stuff with the API


  • the EVE API is the coolest thing ccp has released since EVE


  • haters gonna hate

Relevant Forum Threads[edit]

Meeting Minutes[edit]