We ares starting to work through the design of our dev portal and have to deal with both public and private APIs but in a seamless manner. Too early to say but we would like to be able to handle different scenarios such as:
- A single API contains both public and private operations
- A single API contains all private operations
- A single API contains all public operations
Couple of thoughts:
- Initial thought is to leverage the OpenAPI security schemes and scope restricting access to the private APIs only for internal users. Endpoints will still be visible but not accessible which might frustrate users.
- Annotate the private operations somehow so they are not visible. However, we need to make these visible for internal users.
A side question is dealing with alpha vs beta APIs.
What are your recommended best practices?