How is app_dev_key implemented for unregistered users?

A malicious user can put us out of business by consuming all URL keys in the current design. To prevent abuse, we can limit users via their api_dev_key. Each api_dev_key can be limited to a certain number of URL creations and redirections per some time period (which may be set to a different duration per developer key).

I assume most users of the url-shortening service are actually unregistered users. What’s the industry standard of preventing the aforementioned abuses against unregistered users? Would that be via cookies or IP addresses or something?

1 Like

I’m wondering the same thing, how do we handle unregistered users? how would they use the API without an api_dev_key?

I assume there needs to a type of DDos Mitigation system in place given most users are anonymous.

Have you got any answers?? Why these people are not responding?

@Design_Gurus Please could you share your perspective here?

You have to be a registered user to use any system APIs. Unregistered users are not allowed. This safeguards against security issues and to allocate quotas.

I was thinking of limiting the users based on their userId. For unregistered users, we can probably generate a random userId and use that. I’m new to system designing, please let me know if I’m missing something obvious.