August 16, 2006
@ 03:45 AM

Today I learned about which proclaims

Welcome to Facebook Developers (beta), where you can create your own projects using our application programming interface (API).

In case you've been living under a rock for the past couple of months, The Facebook is like MySpace but for college kids. It seems to have made the transformation from a cool application of the moment (a.k.a. a fad) to an actual must-have utility among the college students I've talked to about it. I've heard college girls say they look guys up on The Facebook as part of pre-date screening and these were sorority girls not geeks. The fact that they are providing an API is a very interesting turn of events especially when you consider their dominant position in their market. 

I'm particularly interested in the Facebook API because I've been thinking about what we should do to expose the Windows Live friends list via an API. The problem with exposing APIs for social networks and contact lists is that the worst case scenario is that your API gets a lot of usage from your competitors (e.g. Zooomr vs. Flickr). I've been thinking about this problem on-and-off for the past couple of months and was interested to see how Facebook API handled this problem or whether, like me, they'd come to the conclusion that if the main use of your API is people trying to leave your service then you've got other problems than just the API. I checked out the definition of the facebook.friends.get method and left with more questions than answers. The API states


Returns the identifiers of the current user's Facebook friends. The current user is determined from the session_key. The values returned from this call are not storable.


The friend ids returned are those friends visible to the calling application. If no friends are found, the method will return an empty result element.

The parts highlighted in red are interesting to say the least. I wonder what exactly is meant by "values returned from this call are not storable". Is this legal wording? Are the values encrypted in some way? What exactly does that mean? It looks like I may need to do some sleuthing around the forums except I don't have a Facebook account. Hmmm...

I was also interested in the authentication model used by the Facebook API. From reading the documentation, their authentication scheme reminds me of Yahoo's Browser Based Authentication Scheme (scheme) in that it requires users to always log-in from a browser and then either be redirected back to the calling page (much like Microsoft's Passport Windows Live ID) or for the target application to re-use the URL it got after the browser was closed if it is a desktop application. Surely, there must be a better way to authenticate desktop applications against online services than habing them launch a Web browser and having a separate, dissonant sign-in process.

PS: If the Facebook API sounds interesting to you and you'd like to do similar things with the Windows Live friends list I'd love to hear what your scenarios are. Holla at me.