The API is a fantastic resource for folks in the ecosystem who want to build tools. Blackbaud and the K12 API team deserve props for getting it off the ground and making it good.

The biggest area for innovating the API lies with improving the token-based authentication scheme to better meet the needs of development for apps.

Here's the heart of my problem:

Say you're designing a mobile app that needs to make calls to the API and grab some data on behalf of a user. In this scenario, the way tokens are implemented is extremely problematic. Assume we followed Blackbaud's guidance and created a user in our Blackbaud instance that would be granted full API rights for this project. We'll call that user WEBAPIUSER.

Now Let's consider humans who are going to use our app, each with their own device. Human 1 opens the app on her device and the backend needs to make some API calls. The first thing it must do is authenticate WEBAPIUSER against the authentication endpoint and get a token back that the app can then use to make calls to various endpoints. Theoretically, this sounds great, but the problem emerges when Human 2 pulls out his phone and wants to use the app. When he opens up the app, the same thing happens -- the backend goes to authenticate WEBAPIUSER and get a token. At this point, everything is working great for Human 2, but suddenly Human 1's app starts throwing authentication errors left and right. 

WHY? Because a new user token is generated whenever the WEBAPIUSER is authenticated, which suddenly renders useless the token that was previously active.

There are certainly many ways to hack around this problem, but the best solution would be for blackbaud to offer a new type of API token at the app level, just as most commercial platforms do. Ideally, an App Project would be created by the developer and the developer would be given a unique token for that app which would not expire or be reset unless the developer explicitly chooses to generate a new app token. To make it more in-line with contemporary API trends, they should also think about giving developers control over which scopes the project's API token would have access to.