The Graph API

API for use by plugins, cross domain transfers of thoughts and other domain items, and to be used by live atomized streams.

This api is safe. Only those values that one can get through their current login are returned. Passwords and other sensitive information are excluded. The integrity of privacy, draft, etc is maintained. SQL injection is prevented.

Note: completed features are in bold and many clickable examples are provided

Legend

Url syntax: / get | put / …

<id> = thought id
<gid> = group id
<group> = group name or group id
<uid> = author id
<tid> = tag id
profile = an author specified by profile group
fields = a comma separated list of fields – not given means ALL
qualifiers = NVP properties such as distinct=1 and orderby=date and limit=100

Graph API GET Commands
Graph API PUT Commands

Comments

Seth says

nathan of group nathan 2016-02-28 06:54:10 [item 20179#47130]

My project for last night. The complete ones with examples are as far as I got.

This API mimics Facebook’s graph API in many respects.

kudos indeed

Holmes says

seth of group seth 2016-02-28 07:30:41 [item 20179#47136]

Just to be clear, a client browser cannot grab any data that was not permitted already according to the client’s sign in. For example i just logged out and tried to get the data in this thought, and recieved the following result: {"rows":0,"thought":null}

My questions:

how do you do server to server data transfers … what establishes the permissions? what sign-in is used?

how can whole images be transferred?

seth of group seth 2016-02-28 07:44:54 [item 20179#47141]

i think i can answer my first question: These data transfers must always be instigated by a client browser.

Answered question two elsewhere as well. The answer is extremely simple and straight forward. data:uri.
Any media can be transferred in JSON using a data:uri … although it is frowned upon for video due to the extra cost of the base 64 encoding eating up 1/3 more internet bandwidth than actually needed.

Seth says

seth of group seth 2016-02-28 07:30:41 [item 20179#47136]

My questions:

how do you do server to server data transfers … what establishes the permissions? what sign-in is used?

how can whole images be transferred?

nathan of group nathan 2016-02-28 07:42:38 [item 20179#47140]

Images can be transferred easily as data:uri’s.

There will need to be a protocol allowing a person (or td robot) to log in by proxy to the remote thinking.domain. It has to be by proxy through the sever because a browser cannot be logged into two places at once (even thought it seems like it can the way FB and stuff works, but in reality, it can’t … other magic is being done).

I have done this kind of thing before. When I get to needing it I will add it.

seth of group seth 2016-02-28 07:52:11 [item 20179#47142]

one application for server-server might be where person A in one domain might subscribe to a person B in another, such that the first person A gets all of the thoughts of person B posted automatically in their group. Wold that require a client logged in to cause the transfer to take place?

Poe of group da 2016-02-28 08:06:25 [item 20179#47143]

Yes it should. Person a should be fully logged in and then they can get anything fully public by person B. If they want non public stuff by person B, then they would have to additionally log in by proxy to B’s domain and then they would be as if they were A in B’s domain.

It is theoretically possible to maintain such logins as I do for groups inside one domain. But, I don’t think it is wise to make that so sticky. Too much chance of the security chain getting broken or hacked. Once per session would be safer and should be comfortable for users.

Si says
Don’t know if you want to do it the nerdy way … but you can now use the graph API to change a group password.

If you have the normal right to change it, or if you have right-edit-scripts, you can change the password of a group using the /put API as documented above.

Very clean and easy way to do it, if you are a nerd.

Obviously non-url characters in the password must be escaped. Spaces must be %20 for instance. But if it is just a letter and number password it can go in straight up. Hey, it’s an API !!!

Si says
Quite interesting and time saving possibilities exist only through the API.

For instance, in one simple quad line Seth can move all of his thoughts from one group to another. Like this line which would move all of Seth’s group fbi thoughts over to the tiggerandhobbs group. (not that he should do exactly that of course)

/put/thoughts/relocate/tiggerandhobbs?group=fbi&profile=seth

Similar possibilities exist for moving via a tag name and batch deleting by tag or author as well.

If you decide to do this, make sure you read the API definition and follow it exactly. Take note that the profile name is being used as a convenience for the author id so that you don’t have to look up the id. It is not being used as the group to move from or to even though it is a group. The API has a command to look up the author id if you prefer or need it.

Si says
What thoughts to move is not optional. So that particular url should error out because you only told it the group to select, not what thoughts in that group to select, which you could do with user id, user profile, or with a tag name. Trusting my software I clicked on the link and here is what I get.

{"count":0,"relocated":[],"error":"tag name or user designation required","result":false}

Yes, the ability of mainly group members to do pranks on each other with hard coded url’s in the pages is something to consider. FB uses a timed token to prevent that. I just implemented something similar. You now need to add a token=<pin> in put based urls. You can get your current session token with /get/token which is simply a 4 digit pin number assigned to your current session. It changes when you log out and back in, but is easy to remember while you are working. Url’s that change something require the token pin now. Can’t prank each other!

Si says

seth of group seth 2016-02-28 21:14:30 [item 20179#47192]

is the “&profile=seth” optional? Would it only move my thoughts?

so can anyone with the password for archives and faq click on the above link and instigate that move?

Just added the option of &all=true so that you can move all thoughts for ease in managing your site. This requires your right-edit-scripts right so it is only available to the prime origin and the developer gods.

Seth says

seth of group seth 2016-02-28 21:09:40 [item 20179#47191]

hmmm … sounds powerful indeed

… let me see if i understand how to use it.

I’ll think it out lound here …. don’t anybody click on it till i get it right.

i want to move all the thoughts in faq http://www.fastblogit.com/faq
to the archives http://www.fastblogit.com/archives

so according to the “command” format:

put/ thoughts / relocate / <to-group> ? group=<from-group> & profile=<group> **

i write:

http://www.fastblogit.com/put/thoughts/relocate/archives?group=faq ← dont click yet!

seth of group seth 2016-02-29 07:40:08 [item 20179#47196]

ok using th e token and scope, trying again …

http://www.fastblogit.com/put/thoughts/relocate/archives?group=faq&token=6034&all=true ← dont click yet!

seth of group seth 2016-02-29 07:46:59 [item 20179#47197]

response on click was

{"count":8,"relocated":["409","443","446","488","626","1459","1545","2661"]}

nathan of group nathan 2016-02-29 07:51:15 [item 20179#47198]

MR of group mark 2016-02-29 08:19:15 [item 20179#47201]

presumably this kind of command is guarded by some kind of rights ..

Poe of group da 2016-02-29 08:23:47 [item 20179#47203]

Presumably you have not been reading the whole dialog, or read the thought, or you woudn’t have to ask.

seth of group seth 2016-02-29 08:28:47 [item 20179#47207]

You can not do anything using the API than you could not do already given the permissions already granted to you. But if ^th e command is a “put” … something that changes the database … then you can only make a hyperlink that will work on your own browser session.

MR of group mark 2016-02-29 09:11:31 [item 20179#47215]

Apparently while I was writing this so were you people doing your instant spec … normally I don’t watch much code-jockey cross talk … code in the url area has already discussed by me

“code in the url area” is the way REST APIs are made these days. There is lots of precidence for this on the web. It works well.

Seth says

seth of group seth 2016-02-28 21:09:40 [item 20179#47191]

hmmm … sounds powerful indeed

i write:

http://www.fastblogit.com/put/thoughts/relocate/archives?group=faq ← dont click yet!

seth of group seth 2016-02-29 07:40:08 [item 20179#47196]

ok using th e token and scope, trying again …

http://www.fastblogit.com/put/thoughts/relocate/archives?group=faq&token=6034&all=true ← dont click yet!

seth of group seth 2016-02-29 07:46:59 [item 20179#47197]

response on click was

{"count":8,"relocated":["409","443","446","488","626","1459","1545","2661"]}

nathan of group nathan 2016-02-29 07:51:15 [item 20179#47198]

MR of group mark 2016-02-29 08:19:15 [item 20179#47201]

presumably this kind of command is guarded by some kind of rights ..

Poe of group da 2016-02-29 08:23:47 [item 20179#47203]

Presumably you have not been reading the whole dialog, or read the thought, or you woudn’t have to ask.

seth of group seth 2016-02-29 08:28:47 [item 20179#47207]

MR of group mark 2016-02-29 09:11:31 [item 20179#47215]

Apparently while I was writing this so were you people doing your instant spec … normally I don’t watch much code-jockey cross talk … code in the url area has already discussed by me

Poe of group da 2016-02-29 09:13:24 [item 20179#47216]

So as to code in the url area as discussed by you. Then I suppose you frown upon all the url based API’s out there, including all of Yahoo’s, and Facebook’s entire graph API?

MR of group mark 2016-02-29 09:51:25 [item 20179#47224]

Depends how well you test it against malicious intent. A person with a password can do a lot of damage. I actually mentioned that I would like this feature for some triage I was doing yesterday. kudos

Haven’t looked at facebook yet. I wonder if G+ does that.

i think most serious software packags have APIs … they allow developers outside of the enterprise to enhance its usefulness.

Mark de LA says

seth of group seth 2016-02-29 10:59:51 [item 20179#47244]

Making our tag cloud reflect what is happen here to someone just wandering bye will help us show our best sides to the world. In that regard, as wizzard of this domain, i want the power to globally curate some of our tags. For example, $wish. We haven’t used that tag here for years, yet see how prominant it is reflected in our cloud. If people click on that as a way to come in, then they will get a totally false impression of the reality of our domain.

So I want the power, as wizzard, to say something like

/put/delete/tags/?tag=<tag>& [profile=<group> | all=true ]

most of them are really old – a wizzard feeding mechanism – ~111 just searched . Maybe the body of them is also

Seth says

$wish . Yes this used to be a way for Mark (and even myself) to ask for a feature. Since i was the developer then, i can see how it was “feeding” me. We probably still need such a tag going … is is not currently nfeatures ?

Holmes says

Poe of group da 2016-02-29 11:05:25 [item 20179#47247]

Okay, that’s easy now. Just a few lines of code.
You have the order wrong though. The context is tags, the verb (action) is delete.

But in this case there is no subject, as you surmise, the subject is complex so it comes from the query properties. I only use actual subjects in api quads when the subject is is single thing, like it is in most of the /get/ commands.

seth of group seth 2016-02-29 11:06:36 [item 20179#47248]

? kewl … i am just learning the quad nature of thes commands.

Okay. This is done. See doc for full spec. The one you want is

/put/domain/tags/delete?tag=%24wish&token=nnnn

Notice I added back the domain context because tags can be dealt with at the domain, group, and even individual thought level. I am thinking about putting it back for thoughts too. Thoughts are never dealt with outside of the group level so I didn’t put it on, but for consistency of semantics maybe I should.

%24 is the dollar sign. You can figure such things out very easily in any browser. Simply right click on anything and choose inspect element. Then on the console tab, simply write escape(‘$wish’), or whatever you want to escape, and it will be printed for you. Normally you wont need to when there are no special characters other than space, which everyone knows is %20

Also realize that it can be much easier to use another browser tab and just put these things in the url bar than to monkey around with url’s in the RTE. I would only put these in a thought if I had a lot of similar work to do and wanted to copy and paste or have a record of what I did. For just a command or two, another browser tab is super easy to use and you will still be logged in the same.

Seth says

Poe of group da 2016-02-29 12:07:39 [item 20179#47257]

Seth,

It is time to have an admin account for the wizard. Now that there are becoming significant things that can be done by someone with domain level rights, you should be using a special account when you make domain level changes. It is becoming unsafe for you to be a normal blogger and have that extra power attached to your blogging account … bad things could happen unexpectedly when you do normal everyday things because your account has superpowers that you are not thinking about all the time. Having a special account you use to make sweeping changes will keep that controlled and safe and let you blog normally and see and use the system as others do in your seth account … which is also good or you won’t be aware of how others are seeing and doing things who don’t have superpowers.

seth of group seth 2016-02-29 12:42:22 [item 20179#47259]

so it will require a separate email … and i guess i can name it anything i wish. Would it not have been the name that i installed the domain?

seth of group seth 2016-02-29 12:51:20 [item 20179#47260]

i’m thinking i would like my email there to be seth@robustai.net … an email address that actually is not even being served at the moment … but one that i could serve or redirect to my normal address … er just as soon as i make that email server function properly. any objections?

or maybe not, that old address was deactivated because it had collected too much spam years ago … might still have too much going there. i’ll pick something else but it will be @robustai.net . it doesn’t need to be verified for current usage, does it?

Holmes says

Poe of group da 2016-02-29 12:07:39 [item 20179#47257]

seth of group seth 2016-02-29 12:42:22 [item 20179#47259]

so it will require a separate email … and i guess i can name it anything i wish. Would it not have been the name that i installed the domain?

seth of group seth 2016-02-29 12:51:20 [item 20179#47260]

Poe of group da 2016-02-29 12:54:49 [item 20179#47262]

You have gmail, why not just use an automatic gmail extension? You could use.

russell.seth+fbi@gmail.com

Or anything you want after the + sign. That will go to your normal gmail account and be seen as a different email address here. Then you don’t need a bunch of real email address to have to forward or check. That’s the way I always create extra accounts somewhere. A few places don’t allow pluses in email addresses, but most do, and so far, we do.

seth of group seth 2016-02-29 12:57:50 [item 20179#47264]

tha’s ok … i’ll pick something … then just sign on. i am presuming that you will attach whatever goodies to it when you see it come in … right?

Si says
Some command semantics changed a little for better consistency across all commands.
Just check the list before using something. It is current.

Si says
Thought identity can now be transferred. motility

This ability is restricted to the owner of the thought and super heroes. It would not be appropriate for other group members to change the owner of a thought.

Tags by the old owner are transferred to the new owner. Comment identity is preserved. In my opinion, it is sometimes useful or necessary to change the owner of a thought, but changing the author of a comment is pure evil and should never be done.

Seth says

nathan of group nathan 2016-02-29 10:38:58 [item 20179#47240]

Being safe with your tokens.

A token is the secret part of your API security. It should not be let into the wild or given to others just like a password. Even though others cannot use it to do their own things, if they know what your secret token is right now they can create traps for you with it. They could put an attractive url in a page and entice you to click on it, while underneath is really a url that deletes your own blog that they engineered with your token.

So keep your tokens safe. If you must hard code them somewhere for your own work, do so only in private thoughts in a private group.

And if you suspect your token is compromised or just want to feel safe, simply log out and back in. That will give you a whole new secret token.

MR 2016-02-29 10:41:31 [item 20179#47241]

wow that is a first … he made his breakfast his advatar

The Graph API

Legend

Tags

Comments

Being safe with your tokens.

See Also