As we continue to improve the DFA API, two upcoming security enhancements are particularly noteworthy. We want you to be aware of adjustments to HTTP support and token lifespan and to take them into consideration when planning the development and upkeep of your applications.
Moving Towards Secure Connections
Last year Google began an effort to improve the security of our APIs with SSL encryption. Most of Google’s Ads APIs already require requests to be made over HTTPS connections. The DFA API will be following suit this year. We’ll consider the use of HTTP connections deprecated with the release of v1.17 in mid-February, 2012. Support for making requests over HTTP will be completely retired in v1.18, expected to launch in May, 2012. Our client libraries will transition to using HTTPS connections during the launch of v1.17.
On the Horizon: Expiring Tokens
Currently, tokens generated from the login service’s authenticate operation do not expire unless the user profile’s password is changed. In the not-too-distant future, API tokens will have a timed lifespan. We will be adding a new error code to represent a failure due to an expired token so that your applications will be able to catch and handle this situation.
We do not have a concrete release date for token expirations yet. It will not be part of the v1.17 release. Please keep an eye on our blog for further updates about this topic. Questions and comments are always welcome on our forum.