API Mixed Security vs. More Endpoints

Question

I need some community feedback. I realize that most of my REST endpoints need to display different results depending on the client's credentials. However, I'm struggling (mentally) with mixed public/private endpoints. So say I have a list of widgets which is public and requires no authentication to see but doesn't show prices. Meanwhile, if you're logged in (present an access token), you need to see the entire widget record, including pricing.

Logically, I want to separate public from private in this case. One is a list and will always be a list and will not show any private information, while the other endpoint is more admin-ish (yeah...I made that word up). So I instinctively want to do something like:

• domain.com/list/widgets
• domain.com/widgets

...instead of just the latter and dealing with non-authenticated clients differently from authenticated clients. The issue is more endpoints and possibly more complexity for the client app.

Any thoughts?

Answer 1

From a technical perspective, "Mixed Security" is the way to go. Conceptually, you have one endpoint - a collection of widget resources. The fact that you want different users to be able to do different things with the collection doesn't change that. It shouldn't be hard to branch based on credentials.

From a business perspective, you're proposing to push complexity onto your clients rather than deal with it yourself. How do you think clients are going to react to that?7