Goodreads Developers discussion

Hi all,

I am planning on developing an open source python script incorporating the goodreads API. I have a few questions though:

1) How do I go about including my secret developer key in the script?
2) Will every user who downloads the App have to register a developer API key?
3)Can each user just use their own goodreads username and password to use the API, without the need for a "Developer" key?

My third question is how I would assume it should work, because I don't want hundreds of thousands of people all using my developer key to use the script...

Thanks in advance for your help.

Just put your key and secret in a secure place on your server. Both should remain private to yourself only. It is basically your authorization to use the api.
Users should not (nor they need to) know your api key to use your app: they will just use your app to access Goodreads data.

I suggest you browse the Examples/Showcase section of this group. Other developers have posted snippets and full applications using our api.

Hi Ettore, thanks for the reply. I have looked at the Example and Showcase sections.

Looks like I wasn't very clear in my original post, not the first time :-). I am not creating a web service or web app, or even a web site. It is an opensource stand alone python script for use as a plugin on a media centre(HTPC). Users will install the script on their own media centres to have their goodreads shelves, recommendations etc.. available on their system.

In the above user case, it seems ridiculous for every user to need a developer key to access their account via the API.

I guess I am asking, and what I was't able to find elsewhere on this site, is in my scenario, what do I do?

Thanks

Got it. My answer though, is the same. Anyone who wants to use our api needs to be an authorized developer: this is how ours and pretty much any free api on the web works.

What you are providing is essentially a developer tool for other developers. Which is totally fine, but like i said this means your target audience is developers, not the regular Joe, even if doesn't look like that.

I understand what you are saying, but I don't agree unfortunately.

I am creating a plugin for a very popular media centre used by millions of "regular" people. These people aren't developers, each one having to get a "developer" key from goodreads doesn't seem like the right solution for this. Does goodreads really want each on of these people applying for a developer key?

I also disagree with the "this is how ours and pretty much any free api on the web works". Other API's do not require a "developer key" to accomplish what I am trying to accomplish with my python script. The most popular way to authorise an App's access to an end users account is via OAuth's 3-legged authorisation.

I completely agree that a developer key is the easiest way to implement API access for web apps and services, but for stand alone end-user apps of any description, a developer key should not be necessary.

I am still planning on creating this python script, so my only option is to provide instructions on how the end users should go about obtaining a developer key - I hope this is OK.

Thanks

What we did with Book Catalogue (open source Android app), is to put the keys in a single module, and each developer has their own keys. It is a single file with about 4 lines, so technically the app is no longer Open Source, but there are implicit instruction in how to reconstruct the "missing" source so, in my view, it still qualifies.

Python is a little different in that it does not compile to object modules (as far as I know), but you could adopt the same approach: the vast majority of media centres come with DIY and prebuilt versions. I'd suggest adding steps for the DIY-ers, but all the prebuilt binaries could contain keys obtained by the builders.

It's not great, but any form of embedded key will always be susceptible to decompilation or code inspection. At least this way, the vast bulk of your end users won't need their own key.