I have created a website which allows users to sign up for, and use, an online service. To help promote the website we will be have resellers who will be offering their own branded services through us. The initial plan is to allow resellers to place registration, login, and lost password forms on their own website and use an API created by us to handle these requests.
I have begun outlining how I expect the API to work (and starting documenting it as well) and I want to make sure I get it right, or as close to right, as I can from the beginning as I know once you have declared a public API you want to avoid changing that API at all costs.
So far I have decided:
- To have the user pass their account credentials with each request
- To require SSL for all requests
What else should I be keeping in mind?