Tweet
My position:
I've developed (most of) an app using the BetFair Free API, and I'm pretty happy with it. I'm at the stage where I think it's probably useful to other people, so I'm seriously looking at taking a "proper" API subscription and selling it on (at a pretty minimal price... so long as I make back the API subscription costs each month, all should be well).
It's just me developing this - There's no startup investment, no company behind it to fund development. Thus, I need the app to start paying for itself almost as soon as I take the subscription. I think I can get enough customers to get going with, but I can't really afford much delay between paying BetFair for the API usage, and collecting cash from customers.
My query:
I came across information about the BetFair security validation at https://bdp.betfair.com/index.php?op...d=76&Itemid=58 - The wording here seems to imply that the certification is mandatory before I can ship my product to users, rather than being an addition level of reassurance for my customers.
It seems that in order to be allowed to sell my product on, I need to get it certified. Fair enough - I can see the rationale behind the rules, and I'm happy to comply, but I've got a few questions:
1 - So, is this mandatory? I'm not going to name names (so don't ask), but I know of at least one popular BF API application which caches usernames and passwords locally. Am I just looking at a well intentioned but out of date set of requirements?
2 - User provisioning - The user provisioning section of the requirements has a long description of a workflow, enabling a vendor to provision a client without having visibility of their username. A few questions about this one...
2a - It makes a reference to a createVendorAccessRequest token, but there's no mention of that in the Vendor API documentation at http://bdphelp.betfair.com/VendorAPI.../VendorAPI.pdf - Am I looking at the right documentation?
2b - Pretty much the whole vendor API is specified using usernames. This seems to be at odds with the requirement that "A Vendor must not have visibility of a user's Betfair username, password or any other sensitive data that may link a user of a product to a Betfair account". I have no interest in collecting users IDs, and have worked out a subscription system that would pretty much allow me to use them when needed and never store them (thus negating any "What happens if my server gets rooted" worries on my part), but this API/requirement conflict seems pretty confusing.
3 - The certification process. It seems that BF want a copy of the binaries and various documentation, which is fair enough, although I'd have thought they'd want the source(?). Once you're certified, they provide a vendor ID, which you use in the login process. So...
3a - I assume you can log in using a productID (which I assume you get when registering for an API subscription?) and no VendorID? This seems at odds with the documentation. If not, do you have to use the Free Access API for the version you send for certification?
3b - Once you've got a vendor ID, you need to embed this in your application for use in the login process. Surely this is going to invalidate the MD5 (or other checksum) of the binaries that BF have certified?
4 - Finally, the time taken in certification. The requirements mention that you should "allow up to four weeks for the security certification and authorisation of your product". Fair enough - These things don't just happen magically, but am I expected to have a valid API subscription during this time? That's pretty much £100-worth of API access when I can't sell the product while it's being certified, and I really can't afford to do that right now.
So - Comments on any or all of these gratefully received... Here's hoping for a happy outcome that lets me pay BF even more money
Thanks
Pete
I've developed (most of) an app using the BetFair Free API, and I'm pretty happy with it. I'm at the stage where I think it's probably useful to other people, so I'm seriously looking at taking a "proper" API subscription and selling it on (at a pretty minimal price... so long as I make back the API subscription costs each month, all should be well).
It's just me developing this - There's no startup investment, no company behind it to fund development. Thus, I need the app to start paying for itself almost as soon as I take the subscription. I think I can get enough customers to get going with, but I can't really afford much delay between paying BetFair for the API usage, and collecting cash from customers.
My query:
I came across information about the BetFair security validation at https://bdp.betfair.com/index.php?op...d=76&Itemid=58 - The wording here seems to imply that the certification is mandatory before I can ship my product to users, rather than being an addition level of reassurance for my customers.
It seems that in order to be allowed to sell my product on, I need to get it certified. Fair enough - I can see the rationale behind the rules, and I'm happy to comply, but I've got a few questions:
1 - So, is this mandatory? I'm not going to name names (so don't ask), but I know of at least one popular BF API application which caches usernames and passwords locally. Am I just looking at a well intentioned but out of date set of requirements?
2 - User provisioning - The user provisioning section of the requirements has a long description of a workflow, enabling a vendor to provision a client without having visibility of their username. A few questions about this one...
2a - It makes a reference to a createVendorAccessRequest token, but there's no mention of that in the Vendor API documentation at http://bdphelp.betfair.com/VendorAPI.../VendorAPI.pdf - Am I looking at the right documentation?
2b - Pretty much the whole vendor API is specified using usernames. This seems to be at odds with the requirement that "A Vendor must not have visibility of a user's Betfair username, password or any other sensitive data that may link a user of a product to a Betfair account". I have no interest in collecting users IDs, and have worked out a subscription system that would pretty much allow me to use them when needed and never store them (thus negating any "What happens if my server gets rooted" worries on my part), but this API/requirement conflict seems pretty confusing.
3 - The certification process. It seems that BF want a copy of the binaries and various documentation, which is fair enough, although I'd have thought they'd want the source(?). Once you're certified, they provide a vendor ID, which you use in the login process. So...
3a - I assume you can log in using a productID (which I assume you get when registering for an API subscription?) and no VendorID? This seems at odds with the documentation. If not, do you have to use the Free Access API for the version you send for certification?
3b - Once you've got a vendor ID, you need to embed this in your application for use in the login process. Surely this is going to invalidate the MD5 (or other checksum) of the binaries that BF have certified?
4 - Finally, the time taken in certification. The requirements mention that you should "allow up to four weeks for the security certification and authorisation of your product". Fair enough - These things don't just happen magically, but am I expected to have a valid API subscription during this time? That's pretty much £100-worth of API access when I can't sell the product while it's being certified, and I really can't afford to do that right now.
So - Comments on any or all of these gratefully received... Here's hoping for a happy outcome that lets me pay BF even more money
Thanks
Pete
Comment