Dogfooding Moment: How Missing OG Images Led to Better API Security

2025-01-10

When Your Own Product Saves Your Launch: The Story Behind Signed API Keys

Ever had that moment right before launching something where you spot a critical issue? Yeah, that just happened to us. Picture this: We're two days post-landing page deployment, tweet drafted and ready to go, finger hovering over the send button, when we notice – our OG images are missing. 🤦‍♂️

Dogfooding to the Rescue

The solution seemed obvious: "Hey, we built a screenshot tool, let's use SCRNIFY to generate our OG images!" But then came the "hold up" moment. If we put our API key in the meta tags, anyone could grab it and use our service on our dime. Not ideal.

This "aha moment" led to one of our most important features: Signed API Keys.

Introducing Signed API Keys

We now offer two types of API keys:

  • Basic API keys (simple, straightforward)
  • Signed API keys (with added security)

The signed version works like this: You get both an API key and a secret key. Using HMAC-SHA256, you generate a signature that's added to your requests. It's like a tamper-proof seal that ensures nobody can use your key without knowing your secret. Pretty neat, right?

But Wait, There's More: Smart Caching

While implementing signed keys, we thought, "Why stop there?" So we added intelligent caching:

  • Cache duration is flexible: anywhere from 1 second to 30 days
  • Works for both screenshots and videos
  • Best part? Cached requests are completely free! 🎉

The cache is configuration-based, meaning if you screenshot the same URL with the exact same parameters (width, height, etc.), you'll get the cached version. Change even one pixel in your config? That's a new cache entry.

The Technical Bits

For the developers out there wondering about the details:

  1. Every signed request requires a cache_ttl parameter
  2. Minimum cache time is 1 second (here's why: even with a 1-second cache, you're limited to 86,400 requests per day. Without it, a bad actor could fire that many requests in a single second 😱)
  3. Cache entries are unique per configuration - change any parameter, and you get a fresh screenshot

See It in Action

Want to see the result that saved our launch? Here's the actual OG image we're using:

https://api.scrnify.com/capture?cache_ttl=3600&height=675&key=OTeR1ZknEBwe7Y_DU0YqD8HMTR6IPPbl&url=https%3A%2F%2Fscrnify.com&width=1200&signature=0609ef9d812a0e1695071efb4a80a6b2730fdff8fb6e6578461472ce7215ae95

OpenGraph Image from SCRNIFY

What's Next?

We're already working on more features, including the ability to revoke/delete keys. Because security isn't just about implementation – it's about giving users control.

The Bottom Line

Sometimes the best features come from your own needs. We needed secure API keys and efficient caching, and we figured other developers would too. It's about building tools we'd want to use ourselves.

And yes, we did send that tweet – with a proper OG image, thanks to SCRNIFY. Talk about eating your own dog food! 🐕 You can check out our launch announcement here to see how it all turned out!

Cheers, Laura & Heidi 🇦🇹

Want to try it out? Head over to SCRNIFY and generate your own API keys. Remember: cached requests are free, so go wild (within reason, of course 😉)!