How is app_dev_key implemented for unregistered users?

sys_design_grokker · July 27, 2020, 2:29pm

A malicious user can put us out of business by consuming all URL keys in the current design. To prevent abuse, we can limit users via their api_dev_key. Each api_dev_key can be limited to a certain number of URL creations and redirections per some time period (which may be set to a different duration per developer key).

I assume most users of the url-shortening service are actually unregistered users. What’s the industry standard of preventing the aforementioned abuses against unregistered users? Would that be via cookies or IP addresses or something?

Joseph_Fernandez · May 15, 2020, 3:51pm

I’m wondering the same thing, how do we handle unregistered users? how would they use the API without an api_dev_key?

Bilall · May 20, 2020, 8:11am

I assume there needs to a type of DDos Mitigation system in place given most users are anonymous.

Sultan_Mahmud · September 26, 2020, 6:41am

Have you got any answers?? Why these people are not responding?

Ritwick_Kumar · December 25, 2020, 6:26pm

@Design_Gurus Please could you share your perspective here?

Design_Gurus · December 26, 2020, 3:27am

You have to be a registered user to use any system APIs. Unregistered users are not allowed. This safeguards against security issues and to allocate quotas.

Akash_Singh · January 14, 2022, 6:21pm

I was thinking of limiting the users based on their userId. For unregistered users, we can probably generate a random userId and use that. I’m new to system designing, please let me know if I’m missing something obvious.

Thanks,
Akash