Question posted in 
I have had this discussion a couple of times in my career. In my view it is perfectly okay to expose the ids that are stored in the database to the client in your REST API response. But some people I’ve worked with think this is really one of the first lesson in security: “Never expose your database IDs to the client.”
Then they come with all kind of complexity to avoid this. For example, in one job I had to hash every ID in my rest response, and then unhash all the ids in the request.
Now in my new job we have the following pattern. A table has an auto incrementing “id”, but we don’t expose that, next to that we have a uuid “code”, and that is the one we expose to the client. So essentially we have 2 ids, both stored in the DB, but one we can expose, the other we can, because:
“Never expose your database IDs to the client.”
Does this even slightly make sense? We still expose an “identifier” to the client. If the problem is that someone can see how many rows we have in a table, because that “id” is auto incrementing, I would just make the “id” an uuid, and expose that to the client.
If you look at examples of other public rest API’s, it always seem to me that they expose the database id, without problem. For example, gitlab:
GET /projects/:id/users
[
{
"id": 1,
"username": "john_smith",
"name": "John Smith",
"state": "active",
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
"web_url": "http://localhost:3000/john_smith"
},
{
"id": 2,
"username": "jack_smith",
"name": "Jack Smith",
"state": "blocked",
"avatar_url": "http://gravatar.com/../e32131cd8.jpeg",
"web_url": "http://localhost:3000/jack_smith"
}
]
Twitter:
https://api.twitter.com/1.1/statuses/show.json?id={id}
But even stackoverflow:
https://stackoverflow.com/questions/{id}
https://stackoverflow.com/users/{id}
I would bet that 2188707 in the url https://stackoverflow.com/users/2188707 is just my user id in the stackoverflow database.
5
Answers
I don’t see any security reasons to expose the plain database ID in your API.
If your database is exposed you have lost anyways. Security through obscurity is never a solution.
However, there are some other reasons to consider:
Exposing the database ID creates a coupling to your database. Imagine merging data from different databases (sharing the same schema), or applying backup data to an already in use database. There will be no guarantee that the same ID’s will still be available.
Designing a proper Resource based API requires you to expose universally unique ids (UUID) or a technical composite key for the simple reason that there is no other way to ensure uniqueness across different systems/databases.
Not a security issue, but it let the user know some information about the size of your data as a company. and some companies don’t prefer to expose this kind of information
by exposing the ids for exemple in API users, if someone can create a new user, then call your user API, he can automatically know how many users you do have in your database, and in many busnisses this is not the kind of information that you want your concurrence to know.
There are a few issues with sequential primary keys:
Source: adapted from Two Scoops of Django 1.11
This question is very old but can response now in case the answer is useful to someone new.
‘I would just make the "id" an uuid, and expose that to the client.’.
The reason why numeric id is hiden and expose other with uuid is because for the DB Systems have bad performance with index for uuid fields, too with foreign keys with uuid type increase storage, depending of uuid version and index type of course.
For this reason many systems set autoincremental numeric in primary key but hide that in expose information, with uuid field have the same prevent expose.