Best Practice: Third party API on client (Desktop) or Server

Question

I have a small Desktop application (Windows+Mac) that uses third-party API calls (RESTful) to collect some data and present results to users.

At this moment, the API calls (open and free APIs) are made directly from the client (approach #1). However, I am wondering if this is a bad practice.

As an alternative, I would make a single API call to our server and from there I would call all the third-party APIs (approach #2), then send the results to the client.

• Approach 1 has the advantage... that it is already up and running;
• Approach 2 is easier to react to API changes without needing to update the clients.

More thoughts?

Answer 1

You are right at wondering if calling 3rd party APIs from the client is "convenient".

It's not necessarily bad practice tho. You will see web applications and mobile applications doing this. You will hear of them as mashups.

These are applications that, for one reason or another, are not backed by a proprietary server application.

However, if we run that missing server application and we own both, server and client; it's highly advisable to decouple the client from 3rd party APIs and make our server the only source of trust and control. Basically for the reasons you gave Approach 2 is easier to react to API changes without needing to update the clients.

It's not only easier to mitigate issues due to 3rd parties API changes, it's easier to change one API provider for another or change it by your own solution and this without rewriting and redeploying the client. Redeploying a web app client might not seem too concerning, but for mobile or desktop app it's. It's safer too when remote APIs require authorization or authentication because the credentials are stored on the server, far from malicious intentions.

Your server also allows you to hide the complexity of each service, providing clients with a facade simpler to integrate with.