Request for feedback - debit card company mobile api

Hello,

First, an intro: I've been working with Open Source Software for about 13
years and with the Drupal web application framework for about 7 years. I'm
a member of the Drupal Security Team and contribute code to Drupal core and
contributed modules. I work at www.CARD.com <http://www.card.com/> which is
a prepaid debit card processor and issuer. If you're interested in any of
that, I'm happy to talk more either on-list or off.

Second, the API: We're building a mobile phone application and created a
JSON api to get data about the application. I've not built many APIs (and
documented fewer) so I'm writing to get feedback on the API and our
documentation. It's available at
https://docs.google.com/document/d/1W60GmgttcLuHCDaROFWKo0Zk73B14oNcNMF8mlsYC2Q


I talked to Manu Sporny a while ago and he suggested that this list might
be interested in reviewing and discussing our API. Some specific questions
I have about the API:

   - We're currently only building it for consumption by our smartphone
   app, but ultimately it could be consumed by any client. Do folks see value
   in this? If so, please give some specific use cases. We may be limited from
   enabling some features due to regulation.
   - We'll be adding some more features to the API that include actions on
   the server (invite friends and card-to-card transfers). I'm looking to
   prevent abuse of these features via CSRF and thinking about two patterns.
   In one pattern there is an API that provides a nonce that can be used in
   other operations - this pattern is used by several modules in Drupal. A
   second pattern is Stateless CSRF protection proposed at
   http://appsandsecurity.blogspot.de/2012/01/stateless-csrf-protection.html -
   any thoughts on either of these or other solutions?

Thanks!
Greg

--
Greg Knaddison | 720-310-5623 | http://knaddison.com |
http://twitter.com/greggles