ICSSC LogoICS Student Council
Anteater API

Best Practices

Rate Limits

You may use most features of Anteater API without requesting an API key. Requests made without keys are subject to a per-IP basis and also draws from a global quota that is replenished on an hourly basis. If the global quota is exhausted, only requests with valid API keys will be accepted, so we recommend that you request an API key here.

Rate limits for Anteater API are enforced on a per-key basis otherwise. However, our goal with these rate limits is to support almost all applications while preventing abuse. We understand that student projects, especially those made for a hackathon, may experience sudden traffic spikes, and have ensured our rate limits are much higher than what is necessary for almost all applications. If your application requires a higher rate limit, we will evaluate your use case and may choose to increase your rate limit.

With that being said, we ask that all developers refrain from purposefully sending large amounts of requests in a short interval, or making malicious requests with the intent to exploit vulnerabilities in the API. We reserve the right to blacklist IP addresses making such requests.

If you do believe you have discovered a security vulnerability in Anteater API, please open an issue here. Since we do not serve sensitive data, there is no need to report such issues confidentially, nor is there an email address for such purposes.

Using your API key

Anteater API offers two types of keys, publishable keys and secret keys.

Publishable keys are intended to be used in client-side code and as such can be safely exposed in source code. We verify the identity of the client making the request using a publishable key by comparing the Origin header with the set of allowed Origin headers, which is provided by the user when requesting a publishable key. The Origin header is automatically provided by your HTTP library and cannot be modified.

Secret keys are intended to be used in server-side code, and should not be exposed since no additional verification is performed.

Regardless of the type of key, you'll have to send the key to the API in order to take advantage of its benefits. The following is a non-exhaustive list of code snippets for doing so using various HTTP libraries. If the library you're using isn't present below, please don't hesitate to open a pull request!

import fetch from "cross-fetch"; // ESM import
// const fetch = require("cross-fetch"); // CJS import
 
const res = await fetch(
  "https://anteaterapi.com/v2/rest/websoc" +
    new URLSearchParams({
      year: "2023",
      quarter: "Spring",
      department: "COMPSCI",
    }),
  {
    headers: {
      Authorization: "Bearer YOUR_API_KEY_HERE",
      // other headers
    },
    // other options
  }
);

Previous

Attribution Policy

Next

API Versioning

On this page