Can anyone send a
DELETE request to an API?
Technically yes, but it is up to us as developers to make sure that the data our API handles is secure.
Right now we are learning how to use express and the handler methods, so we are focusing on performing the task and how they are written. As we get a better hold on it, we can start thinking on assigning not just checks on what it is being requested but what.
Many APIs will require us to create an account which will provide us with an API key that we can use to either access more complex requests (for example, something beyond a
GET all method) or to be actually able to use the service. that API key protects the server and delimits our capacity as users to access certain functionalities. For example, Spotify will allow us to have full access of all features of their API with a key, but irreversible and personal changes like an
DELETE function will also require to have the permission of the account’s user, some other servers will only have read only functionality, ie. we can only
GET data. It is up to us as developers to restrict access to sensitive data or functionalities that might affect the overall health of the same data.
So again, anyone can send a
DELETE request to an API, but it is up to us to decide how to set up the necessary checks to allow it.