I'd say the hard part is actually providing a useful solution. A service that tells you what someone else is thinking about is a trillion dollar idea. Now implement it
I used to be an Android developer, but switched to Product management shortly after since coding wasn't really for me, so i haven't coded in years. It's always great watching your videos to have a high-level understanding of how things should work. It makes talking with the developers much easier.
Hi, I feel the same way that coding isn't for me although i am trying really hard, could you please suggest me how did you make the switch to Product Management?
As others have said, it isn't too hard to create a simple API. It doesn't need to be complex or comprehensive. The best thing to do is to wait for a new trend to integrate an API into, and then the demand for your API will come naturally. There's no point competing, just be relevant.
You are dead on, but do you realize what you're saying? These "trends" are here. Think of an idea that the news can't stop talking about, think of the vast amount and what type of data that's required for these people to pursue their (nefarious) plans... now serve it to them, if you don't someone else will. and hope history remembers you as the messenger and not the facilitator. I can think of several trends that fit this but there's particularly one that absolutely dominates the others and it's not going to be talked about by anyone making APIs already.
I am getting _really_ tired of web developers using MD5 as an example for cryptographic purposes. No mention of salt and pepper either. Oh well. At least I won’t be out of a job I guess.
I'd love to see some videos on the following topics: Gitlab Auto DevOps Chaos Engineering (Litmus) Policy as Code (Open Policy Agent) Compliance as Code In general just more topics on security, DevOps & Site Reliability
Just read the front page of any projects or notable ressources regarding the subject and you'll have the same amount of infos, his videos are nice for discovering things but otherwise it's just the basic exemples from the READMEs
@@heroe1486 @Heroe / you obviously don't know the amount of research required. You can't just "read the front page" rofl. There's a big difference between reading something, understanding it and using it in practice.
@@uziboozy4540 No, they mean reading the front page (and some docs and stuff) will provide the same level of info as Fireship's videos. However, there are various small but helpful or important things you might learn from Fireship as he is an experienced dev.
@@uziboozy4540 you need to learn "how to ask questions", if you wanna learn about these concepts read wikis, there is just a lot of content out there on the internet
Man you're golden. I've been building an API with node and express to receive payments in my country(Cameroon) with our local payment methods and with my cofounder, just yesterday I was literally talking about using stripe for international payments. Thanks for the tutorial🔥
😂 I've figured out all other database names and then struggled with upside down mongo, i finally remembered it was mongodb, but totally neglected that it was upside down until I see this comment
People please don't use MD5 for your hashing... if you're asking yourself "Why?" then you have a lot more to learn before you should be messing around with anything related to payments. Also note that depending on where you are in the world, your country (or each country you're going to be operating in) may have different fiscal and certification requirements for these things, so DON'T just go and publish some random payment app. Also take into account that you might want to get some professional help with setting up some Ts&Cs for your users which they have to accept. Coding is and should be fun! But code responsibly :)
In case of not using MD5 i totally agree with you in the end just don't use it, but hashing api keys with MD5 is more secure than hashing passwords for two reasons 1) API keys are long and it's harder to break them compared to an 8 character passwords. 2)in many cases of breaking MD5 a dictionary of hashes is being used to test against for most popular passwords but this won't be the case with random bytes
@@pooyaestakhry Interesting thought🤔 but are there drawbacks to just using something like SHA-256 for your API keys? I mean surely its much more secure?
One thing I wanna say, stripe is a payment provider and essentially the global users will be buying products from the country that you're operating from. Don't worry abt international laws, just abide by the country that you're operating from, Stripe is good on it's T&C and you may not need to worry about other countries, if you think you should be worried about rules of countries I'll be operating on, you'd have to write T&C for each country, this is bullshit. Do you need to worry about laws of each country while using western union? I hope this helps somebody.
Yoooo its so cool you mentioned Stripe's prebuilt checkout I remember writing a tutorial article in how to implement it on Laravel once I got it to work. I struggled to implement it because in the documentation it uses a different PHP framework.
I am learning front end to take over my dads business website so he can save some money. I've still got a lot of learning ahead but im starting to understand the syntax a bit more each time i study. I know watching this is probably way ahead of what im learning but its still very interesting to see what I can start working with later. Thanks for the tips Fireship :D
there's a lot more nuances to developing a scalable, maintainable, secure API than this video offers. but it at least gets you on your feet to building one 😎
Great stuff. Although the most challenging part is to actually register the Stripe business account being a regular developer and knowing nothing about registering a company 😅
Excellent video. Thanks for making it! As a hardcore, paranoid nerd I'd recommend something other than MD5 like SHA1 or SHA256 but that's a simple change.
@@rogervanbommel1086 that's a good point - I was thinking of the two as analogous, but that is an important distinction. I suppose it still doesn't hurt, but you're right, it's probably unnecessary.
yo fireship can you do a video teaching us how you learn new technologies, cuz you obviously don't know everything but anytime you make a video you have some grounded knowledge about it. could you like do a walkthrough maybe a live or something. That would be awesome.
10:45 Shouldn't the generateAPIKey() function call have return in front of it? Seems like a bug to me. If there is already an API key in there, the function will return undefined
@@jakeflynn8043 salting isn't possible with API keys, and also NEVER ROLL YOUR OWN CRYPTO. If you're manually concatenating a salt to a password, you're doing it wrong.
I'm always curious as to where ppl get their data from that these APIs use. For instance, in the case of a weather API, where does one get data (possibly, for free - legally ofc) to serve up to clients?
What would be the best way to correctly do what is explained at 3:35 about storing the key in the header? I guess you would just add a 'X-API-Key', header some how? And why is this more secure?
The reasoning is URLs (including the query string if api key is included in the url) are often stored in server logs where the http(s) headers are less likely to be stored.
Md5 is broken it can be reverse hashed, use something like sha256 And Apikey shouldn't be sent as query param, it would be wise to send it in headers, headers are encrypted query is not. And To check for duplicate api key while creating them, use unix time stamp with microsecond time diff in the hex, this way u will reduce one db call
Query parameters are also encrypted by SSL. The danger is more in accidental logging of the URL and it is more clean as a header as users don’t have to manipulate the URL. You don’t need to check for duplicate API keys if your API key already is 16 Bytes (128 Bits) long and you are using secure ways to produce randomness as it is literally impossible to have collisions. I like your comment though because all my stuff is nitpicking while security is always important.
Didn't you watch the video? They clearly stated that API keys should be in the header, they were only sending it as a query parameter for simplicity of the example. But yes, MD5 is insecure but the general idea of hashing still is important.
@@rz2374 The amount of data loss and real-world harm caused by this sort of laziness in the industry really makes this crap inexcusable. Great, doing it the wrong ways is easier. Big surprise. Why bother teaching people how to do it the wrong way when you didn’t start with the right way?
10:47 wouldn't this in case that there would be duplicate return nothing? Since when youu reccurently generate new api it doesn't return that value to previous call? Or I just don't get js enough.
Thanks for the mention Fireship! You are the best!!!
Hmm I just watched your video lol
He is
As soon as I saw fireships video I remembered that I am having a deja vu lol. I saw your video first. It was awesome
I have this amazing API idea in my head for weeks now, with your videos it is one step closer to reality :D
I’ve watched your video too. Very good work !
building the API is the easy part.
coming up with an idea that actually solves a problem is the hard part.
It is pretty saturated too.
Exactly
And it should solve it better than existing solutions
I'd say the hard part is actually providing a useful solution.
A service that tells you what someone else is thinking about is a trillion dollar idea. Now implement it
Just remember that ideas are cheap. Often times it doesn't matter if you're original if you can implement it better than others.
This is hands down the best dev channel on YT. Straight to the point, clear, and easy to follow. Always great content.
I used to be an Android developer, but switched to Product management shortly after since coding wasn't really for me, so i haven't coded in years. It's always great watching your videos to have a high-level understanding of how things should work. It makes talking with the developers much easier.
you got promoted to your level of incompetence
Hi, I feel the same way that coding isn't for me although i am trying really hard, could you please suggest me how did you make the switch to Product Management?
As others have said, it isn't too hard to create a simple API. It doesn't need to be complex or comprehensive. The best thing to do is to wait for a new trend to integrate an API into, and then the demand for your API will come naturally. There's no point competing, just be relevant.
You are dead on, but do you realize what you're saying? These "trends" are here. Think of an idea that the news can't stop talking about, think of the vast amount and what type of data that's required for these people to pursue their (nefarious) plans... now serve it to them, if you don't someone else will. and hope history remembers you as the messenger and not the facilitator. I can think of several trends that fit this but there's particularly one that absolutely dominates the others and it's not going to be talked about by anyone making APIs already.
@Thomas Robertson why nefarious only 🤷????
Are there no more good ones 🤔????
@@thomasrobertson9835which trends are you referring to?
You're fucking awesome man!
Even though I'm not learning anything new, it's always a pleasure to watch your damn well made videos.
Oh my god dude, your visuals and graphics are some of the best in the game. Keep it up!
and his jokes too
It's worth pointing out that md5 is not a great hashing function for sensible data, in general argon2 and bycrypt are much more secure
Bcrypt is commonly used now (I think not sure at least that's what I've used before)
@@dynamicdanymo8343 yes, but argon2 won the competition, if you have the option to choose which one to use, my recommendation is argon2
@@lmtr0 With 10+ passes. Though that’s getting into “hey actually read the documentation” territory, which no one does even if it’s important.
I am getting _really_ tired of web developers using MD5 as an example for cryptographic purposes. No mention of salt and pepper either.
Oh well. At least I won’t be out of a job I guess.
@@liesdamnlies3372 Now I'm getting offended, I really read the documentation. LMAO
I'd love to see some videos on the following topics:
Gitlab Auto DevOps
Chaos Engineering (Litmus)
Policy as Code (Open Policy Agent)
Compliance as Code
In general just more topics on security, DevOps & Site Reliability
Just read the front page of any projects or notable ressources regarding the subject and you'll have the same amount of infos, his videos are nice for discovering things but otherwise it's just the basic exemples from the READMEs
@@heroe1486 @Heroe / you obviously don't know the amount of research required. You can't just "read the front page" rofl.
There's a big difference between reading something, understanding it and using it in practice.
@@uziboozy4540 No, they mean reading the front page (and some docs and stuff) will provide the same level of info as Fireship's videos. However, there are various small but helpful or important things you might learn from Fireship as he is an experienced dev.
@@uziboozy4540 you need to learn "how to ask questions", if you wanna learn about these concepts read wikis, there is just a lot of content out there on the internet
@@hargunbeersingh8918 bruh, when did I ever state that I specifically needed videos for these topics?
It was a simple suggestion, moron.
this was awesome!!
a dollar for a bunch of fire emoji's
sounds *LIT*
That's exactly what I needed. Now all I have to do is find an idea for an API that anyone would want to pay for.
Exactly my thoughts.
that's the hard part.
Ania Kubow
@@naurapuspita5073 wtf girl?
@@alkanedust3848 he's talking about the other TH-camr he mentioned in this video. Timestamp is 1:48
If i can sell my API for dollar a request then i will make Elon Musk be a second richest man
Gotta keep up with that inflation
@@klicer3068 just preach bad code and watch people making more requests than needed.
@@rafflezs Genius
@@rafflezs you are my hero.
@@rafflezs That is literally illegal
just wow, you're every tech enthusiastics dream to be as great as you
"The API key is now save to store" It's not. MD5 is not secure AT ALL and should NEVER be used to store sensitive data!
so what should you use?
Also, a salt should always be used, regardles of the hashing algorithm.
Some hashing algorithms have this build in
Good call, that was an oversight. The main point was to not store the raw password, but hash it, but MD5 is not an ideal algorithm
@@badbunnyfreaky SHA 256 works well (for general hashing)
@@travispettry3025 no it doesn't.
The charging $1 for an emoji data response bit had me in tears 😂
Love this videos about API's! Great work as always!
Man you're golden. I've been building an API with node and express to receive payments in my country(Cameroon) with our local payment methods and with my cofounder, just yesterday I was literally talking about using stripe for international payments. Thanks for the tutorial🔥
- "You got a deal, take my money"!
Said no customer ever. 😅
Jokes aside. This is a very helpful video! Thank you!
this was great, very helpful. it's crazy how much information you cover in such a short video.
8:51 My man put the MongoDB logo upside down :(
🤦♂️
😂 proof he’s not a robot
@@AtomicCodeX That's what a robot would say
😂 I've figured out all other database names and then struggled with upside down mongo, i finally remembered it was mongodb, but totally neglected that it was upside down until I see this comment
@@twitchizle sounds really inappropriate🤣😂
Thanks!
billion dollar api with your basement . loved this line
thanks for teaching us in simpler way
How do you come up with ideas so fast? Such well rounded content, thank you
People please don't use MD5 for your hashing... if you're asking yourself "Why?" then you have a lot more to learn before you should be messing around with anything related to payments. Also note that depending on where you are in the world, your country (or each country you're going to be operating in) may have different fiscal and certification requirements for these things, so DON'T just go and publish some random payment app. Also take into account that you might want to get some professional help with setting up some Ts&Cs for your users which they have to accept.
Coding is and should be fun! But code responsibly :)
In case of not using MD5 i totally agree with you in the end just don't use it, but hashing api keys with MD5 is more secure than hashing passwords for two reasons 1) API keys are long and it's harder to break them compared to an 8 character passwords. 2)in many cases of breaking MD5 a dictionary of hashes is being used to test against for most popular passwords but this won't be the case with random bytes
@@pooyaestakhry Interesting thought🤔 but are there drawbacks to just using something like SHA-256 for your API keys? I mean surely its much more secure?
@@hugh-martinrouxhughy7419 practically ? no. as i said in the end i wont use MD5 either
One thing I wanna say, stripe is a payment provider and essentially the global users will be buying products from the country that you're operating from. Don't worry abt international laws, just abide by the country that you're operating from, Stripe is good on it's T&C and you may not need to worry about other countries, if you think you should be worried about rules of countries I'll be operating on, you'd have to write T&C for each country, this is bullshit. Do you need to worry about laws of each country while using western union? I hope this helps somebody.
What kinds of data do you think an amateur should collect to offer as data in the API?
Well that's the billion dollar question, isn't it? 😂
Try pictures of your mom. :-P
Song lyrics
Create an IT startup, gain customers, collect their data, sell them through api.
You're a gift for the 21st century
Omg the editing is cleaner than the soap🧼
That’s cuz it’s REST ;)
The title should probably be like this "Make Money from your API - Tutorial". I was like, how can I make money from my API tutorial? :D
It is simply amazing that this content is free. Thank you ❤
am not doing each video you make but you make the one watch the video just for pleasure and fun thanks for your great work
Yoooo its so cool you mentioned Stripe's prebuilt checkout I remember writing a tutorial article in how to implement it on Laravel once I got it to work. I struggled to implement it because in the documentation it uses a different PHP framework.
You should use a middleware to validate the API key and a second one the report API usage in order to keep your API implementation cleaner.
What do you recommend?
bravo - succinct, no fuss and on point.
Seriously, your videos are like the best. These are just awesome. Keep up the great work man.
Indiano?
Fireship the god of programming. AniaKubow the goddess of programming. My teacher who works in Amazon is the legend of Programming.
Wtf, I’m literally creating my own api atm. Just struggled with the stripe integration. This was so fucking good.
I don't understand how he does it, it's like every single time
I am learning front end to take over my dads business website so he can save some money. I've still got a lot of learning ahead but im starting to understand the syntax a bit more each time i study. I know watching this is probably way ahead of what im learning but its still very interesting to see what I can start working with later. Thanks for the tips Fireship :D
@Erich yes but those sites are usually pretty slow I’ve noticed, it’s also better I learn for a career later on
You don't study this..u get good by doing it
@@sangbeom6245 speak for yourself
@MsPitufo2012 Coding is something you do in application practicing not memorizing it firsr
there's a lot more nuances to developing a scalable, maintainable, secure API than this video offers. but it at least gets you on your feet to building one 😎
This is really what I wanted. Nice one Jeff 🔥
A million thanks for yet another gem of a work!!
plain and simple we need a full course of this
Are you reading my mind? I was literally looking for this last night.
Great stuff. Although the most challenging part is to actually register the Stripe business account being a regular developer and knowing nothing about registering a company 😅
Don't need a company or anything (at least in the US). Just make a Stripe account!
@@wadefletcher8928 One would still need a U.S. bank account at the very least.
woww, 2 videos in a day , Crazy efforts man 😱
Gotta try this and I am all for this. Not for money but for authentication and generate keys
I just finished a web dev bootcamp a few months ago, this was the greatest tutorial I’ve ever seen
I rarely comment, but your videos are just straight NUTTY so much deep fucking value
Excellent video. Thanks for making it! As a hardcore, paranoid nerd I'd recommend something other than MD5 like SHA1 or SHA256 but that's a simple change.
NO NO NO NO NO, pbkdf2, s/bcrypt or argon2id
@@rogervanbommel1086 And SALT!
@@n8guy salting api keys doesn’t matter, passwords should be, api keys are random and salt prevents checking duplicates and rainbow tables
@@rogervanbommel1086 that's a good point - I was thinking of the two as analogous, but that is an important distinction. I suppose it still doesn't hurt, but you're right, it's probably unnecessary.
@@n8guy yea, i mean it even CAN hurt because it’s more data to store and the more complicated the easier to screw up
Perfect timing. ✌️💯🔥
I love your channel, all the stuff you need in 1 video
yo fireship can you do a video teaching us how you learn new technologies, cuz you obviously don't know everything but anytime you make a video you have some grounded knowledge about it. could you like do a walkthrough maybe a live or something. That would be awesome.
I find it’s always great to insult people when you ask them for a favor
@@illuminated2438 what was the insult??
As usual, outstanding video!!
Congrats 888K Subs 🚀🚀
Love this channel and newly subscribed to Ania! Hadn’t come across her channel before now but it looks great
Well in my case, I "nearly" subscribed to Ania, but found this channel instead 😂
return missing in 10:42 for the recursive call?
10:45
Shouldn't the generateAPIKey() function call have return in front of it?
Seems like a bug to me. If there is already an API key in there, the function will return undefined
Yes I think you are right 😊
$1 per request 😂😂
Api that returns tomorrow’s stock price
@@mrfrozen97-despicable😂
Epic video for getting started on this sort of thing
If API keys are as important as Passwords I don’t think MD5 is going to cut it.
was thinking the same
Then take SHA1 or SHA 256
@@spacemeter3001
SHA1 is also not considered secure anymore
Yep, at the very least salt your md5 hash
@@jakeflynn8043 salting isn't possible with API keys, and also NEVER ROLL YOUR OWN CRYPTO. If you're manually concatenating a salt to a password, you're doing it wrong.
Building an API is super-easy, barely an inconvenience
You deserve everything good my guy!
Amazing, thanks for sharing it!
Amazing work! You just got a new sub.
Awesome content, Thank you. This video deserves 30 mins, you might have elaborated this a little more :-), love your work.
Such a great content brother!
Awesome video man ^^
This guy doesn’t miss
man that's cool! can you make a video about cron jobs and background queues for node/next.js
Would enjoy this as well!
This is awesome we need more vids like this thanks a lot
Simply amazing!
12:17 How to make it background job? Any tech or something should i look for?
I am looking for the same. Have you found any option?
@@sasivarnan36 no, not yet, if you do please let me know
beautiful video as always, thanks :D
this was a great tutorial thank you !
This is awesome! Thanks!
10:43 So you just fail by returning undefined if the key is not unique?
so it all about
- an awesome API idea
- little marketing
what if the user forgets the api key? and we have only hashed ones🤔
create a function where the user can create a new api key (renew).
You generate a new one and replace the old hash.
@@Fireship ohhh google not hashing my api keys as i can still see old ones.
How can we send the unhashed API key to user when it is generated inside stripe's webhook ?
You should do another three js course.
Very good explanation, congratulations! 👍
Awesome video. Very informative
Your content is excellent!
I'm always curious as to where ppl get their data from that these APIs use. For instance, in the case of a weather API, where does one get data (possibly, for free - legally ofc) to serve up to clients?
this is great. thanks for the tutorial :)
This guy is amazing!!
hi,can you tell me from where you get animation images
Great content!!
posts weather data like a chad
What would be the best way to correctly do what is explained at 3:35 about storing the key in the header? I guess you would just add a 'X-API-Key', header some how? And why is this more secure?
The reasoning is URLs (including the query string if api key is included in the url) are often stored in server logs where the http(s) headers are less likely to be stored.
Do you have any recommendations for services that we could use to make localhost webhooks work? (not Stripe CLI)
This is amazing thanks!
Md5 is broken it can be reverse hashed, use something like sha256
And
Apikey shouldn't be sent as query param, it would be wise to send it in headers, headers are encrypted query is not.
And
To check for duplicate api key while creating them, use unix time stamp with microsecond time diff in the hex, this way u will reduce one db call
Query parameters are also encrypted by SSL. The danger is more in accidental logging of the URL and it is more clean as a header as users don’t have to manipulate the URL. You don’t need to check for duplicate API keys if your API key already is 16 Bytes (128 Bits) long and you are using secure ways to produce randomness as it is literally impossible to have collisions.
I like your comment though because all my stuff is nitpicking while security is always important.
SHA is not much better than md5 and is also not suitable for password hashing. Instead Argon2 should be used (or Bcrypt if that's not available).
Didn't you watch the video? They clearly stated that API keys should be in the header, they were only sending it as a query parameter for simplicity of the example.
But yes, MD5 is insecure but the general idea of hashing still is important.
@@rz2374 The amount of data loss and real-world harm caused by this sort of laziness in the industry really makes this crap inexcusable. Great, doing it the wrong ways is easier. Big surprise. Why bother teaching people how to do it the wrong way when you didn’t start with the right way?
You are awesome 🔥🔥
Fireship rocks🔥🔥
Jeff... you’re the best.
How did make the chatting antimation at 1:02 to 1:18 ??? Please Fireship i must know.
He's so good I want to cry
10:47 wouldn't this in case that there would be duplicate return nothing? Since when youu reccurently generate new api it doesn't return that value to previous call? Or I just don't get js enough.