things from a Web API discussion yesterday

• The HatEoAS Hypermedia stuff is a good way to provide documentation to make an API discoverable.
• My colleagues have often seen security for the ASP.NET Web API in such a shape that one hands in usernames and passwords in plain text over https. This seems pretty common in the field. There really is no security functionality to the Web API itself, so you are left to cowboy code your own fix and this is how a lot of people do it. What if you want a nonce (pronounced "en once" maybe? think n in n+1) approach in which someone cannot hit a second time or attempt a brute force attack? Maybe it's best to send a packet with your IP address, the datetime, a key, and the request URI, amongst other things. This should make the packet hard to spoof. The key could be temporary and time out.
• "limit" and "offset" are often allowed as URI parameters for pagination when retrieving records which are likely to be GET requests anyways. You can pass URI parameters even beyond GET calls and make sense of them though.