In an IoT project, each component has an important role to play. Devices are able to sense the state of the environment and perform actions depending on a specific state. The internet enables the devices to communicate data which can be acted on. With such connectivity, it is possible to receive data from vast geographical areas and also control devices located in a wide area.
The backbone of internet connectivity is an application programming interface (API). An API is designed to enable machines access to services. The needs of an IoT project can either be met by an existing API or a new API may need to be written. Although existing APIs may offer simplicity of use they may not offer the flexibility of being used with embedded devices. Success at building an API requires a thorough understanding of available data, data processing tasks and the results that will be obtained. This approach is similar to the MVC pattern, where a business problem is independent from a user interface.
In this tutorial, we will use an example of an activity management device to demonstrate how to develop an API. The user will specify the period of time they would like to track an activity and the device will communicate the activity status to a remote server. The three status options that can be communicated to a server are ongoing, finished or canceled. An API is needed to handle the following device interactions:
• Beginning a new activity
• Altering the duration of an activity after it has been specified
• Noting an activity has been finished
• Canceling an ongoing activity
• Editing an activity metadata such as the name efficiently done through a computer or a phone
• Viewing historical activity and their description
When developing an API a critical consideration is securing your data. For any request an identity has to be specified so that the correct historical activities of a user can be pulled later. For applications that are not handling sensitive data, a password offers some level of security. Therefore when considering API security user identity and authentication are the critical components. The challenge that needs to be overcome is linking an embedded device to a specific user and password. A widely used technique to solve this challenge is tying a device MAC address to a user.
Sending device and user identity data over the internet has risks that need to be carefully considered. Any network intrusions that reveal user details may lead to creation of irrelevant data or exposure of user details. Compromise of a device offers an opportunity to identify any unencrypted data being sent. The problem of passwords being intercepted is solved by using encryption. Using encryption to protect device data is challenging because of the huge computational resources required for encryption. While developing an API, a cryptographic library can be incorporated to ensure data security.
When implementing an API, data needs to be sent from a device to a remote server. When handling data, it is best practice to use established data because of availability of libraries to consume and process data. Some of the widely used standards and data formats are listed below
• REST enables web access which results in JSON or XML data. REST has the advantages of wide support and simplicity. However, it has the disadvantage of lack of support on all devices and servers. JSON formats data as property name: property values to facilitate data exchange.
• JSON-RPC enables passing and return of JSON.
• XML-RPC uses XML format
• SOAP uses XML
In the implementation of username and password, we noted network vulnerability would result in exposure of both. A safer implementation is logging in for a limited period of time. This involves implementing session coookies where there is support for cookies and setting headers manually where cookies are not supported.
To test an API, the CURL utility provides a mechanism to move data. You are able to make HTTP requests by specifying a url, the type of request, user, password and data format. An example of using curl is shown below
# By using the –F flag we are specifying a POST request
curl http://localhost:8080/user.json \
-F user=user -F pass=password
The example above just demonstrates one way in which CURL can be used. Other ways in which CURL can be used are using PUT request and logging in with cookies.
The API we have developed up to this point lacks some elements that would make it more useful. The functionalities listed below can be incorporated:
• Using OAuth to interact with services like Twitter
• Limiting the number of device and server interactions
• Besides returning text data interaction with a web browser can be supported
When an API uses HTTP because of the request/response approach the level of responsiveness may not be the best. To improve the level of responsiveness, HTTP alternatives can be used. Protocols that do not use HTTP such as MQTT and CoAP can be used. Other alternatives that can be used to improve responsiveness are polling and comet which will be briefly discussed.
Polling is a technique used to improve the responsiveness of HTTP API by regularly making requests. Although the delay in requests can be minimized by setting the period to a few seconds such a setup has an impact on the server and clients. The load placed on the server when there are thousands of devices will slow down the server which may necessitate scaling. The behavior of devices during connects such as blocking needs to be carefully considered.
To overcome the shortcomings of polling several technologies collectively known as comet were developed. With long polling a client places a request but the server only responds when there is a message to be returned. Websockets and multipart XMLHttpRequest are other options that can be used.
In this article, we noted an API forms a critical part of the internet connectivity element of of an IoT project. An example of an activity management device was used to demonstrate API development. We discussed the functionality the API has to handle and the data formats used to transmit data. We also highlighted how CURL is used to test an API.