JillzTom's avatar

Exposing Id's in APIs

I'm creating a set of APIs using JWT auth. I heard that exposing PK id is not the best thing to do.

So for ex:

api.app.com/users/5

gives me the impression that I've only 5 users in my application and any other security issues that the tech wizards may have.

So if I use UUID's in the API response, how do I fetch the data of a user?

//Like this with the UUID?
api.data.com/users/weu32-juh23-2yguu

Would there be any alternatives?

Also Why would we use transformers? Can't we just hide them in Models like below:

protected $hidden = ['password'];

and using setters and getters name indices how ever we want?

0 likes
6 replies
davorminchorov's avatar

You would fetch the data for a specific user by passing the UUID as a parameter. Just like you do it with a normal autoincrement ID.

As for transformers, they are used to keep the data consistent without breaking changes in the API. Also, another benefit is, changing the database field names to something completely different so people don't know your database structure and field names.

What I mean by that is, let's say you have a field called created_at in the database and for some reason, you want to change it to created_on using a migration. You would change it, make changes in the code to reflect the latest migrations but If you don't use a transformer, your end users (developers who use your API) will have a problem with data not showing up and all kinds of errors.

You can't do this with a Model's $hidden property.

JillzTom's avatar

I can use a getter/setter to define a new attribute for that column and hide the original in the $hidden property. Wouldn't that work?

davorminchorov's avatar

That might work but I believe It's better if you just send a transformed array in the response. I see it as a cleaner way.

JillzTom's avatar

Okay. Is there any limitations for using UUID instead of ID?

Please or to participate in this conversation.