Authentication overview

What The Commit provides a straightforward API designed for generating humorous and often nonsensical commit messages. Unlike many APIs that handle sensitive data or require user-specific actions, What The Commit's primary function is to serve public, randomized text. Consequently, the API does not implement traditional authentication mechanisms such as API keys, OAuth tokens, or JWTs for its core service.

This design choice simplifies integration for developers who wish to incorporate its output into non-critical applications, such as internal tools for mocking development workflows, generating placeholder text in UI designs, or for entertainment purposes. The absence of authentication requirements means that any client capable of making an HTTP GET request can retrieve a commit message directly from the endpoint. Developers should consult the What The Commit homepage for any updates regarding service terms or potential future changes to access methods, although none are anticipated for its current public offering.

Supported authentication methods

What The Commit's API supports a single access method for its core functionality: public, unauthenticated access. This means that no specific credentials, tokens, or signatures are required to make requests to the API endpoint. While this differs from enterprise-grade APIs that often employ robust security protocols like OAuth 2.0 or mutual TLS, it aligns with a service whose primary purpose is to deliver non-sensitive, publicly consumable content.

The table below summarizes the access method:

Method When to Use Security Level
Public Access (No Auth) All standard API requests to retrieve commit messages. Minimal (suitable for public, non-sensitive data).

For comparison, many commercial APIs, such as those from Stripe Payments or AWS services, require authenticated requests using API keys, OAuth tokens, or signed requests to protect sensitive data and control access. What The Commit's model bypasses these complexities, making it accessible for quick integration without an extensive setup process. This approach is common for APIs that provide static or publicly available data and do not manage user accounts or private information.

Getting your credentials

Since What The Commit's primary API endpoint for generating commit messages operates without authentication, there are no specific credentials (such as API keys, client IDs, or secrets) to obtain. Developers are not required to register for an account or generate any form of token to access the service. This simplifies the onboarding process, allowing immediate integration into projects.

To use What The Commit, developers typically only need to know the API endpoint URL. Any rate limiting or usage policies would be communicated directly on the official What The Commit website, though for a public, unauthenticated service, direct access is generally assumed under fair use policies. For web APIs, User-Agent headers are generally recommended to identify your application, though they are not authentication credentials.

Authenticated request example

As What The Commit does not require authentication, an example request is a simple HTTP GET call to its public endpoint. The following examples demonstrate how to retrieve a random commit message using common HTTP clients without any authentication headers.

cURL Example

Using curl, a standard command-line tool, to make an unauthenticated request:

curl -X GET https://whatthecommit.com/api/r.txt

This command sends an HTTP GET request to the specified URL. The -X GET flag explicitly sets the request method to GET, though it is often the default. The API responds directly with a plain text commit message.

Python Example

Using the requests library in Python:


import requests

url = "https://whatthecommit.com/api/r.txt"
response = requests.get(url)

if response.status_code == 200:
    print("Commit Message:")
    print(response.text.strip())
else:
    print(f"Error: {response.status_code}")

This Python script makes a GET request to the API and prints the returned text if the request is successful (HTTP status code 200). Error handling is included to catch potential issues, such as network problems or server errors. No authentication headers or parameters are included in the requests.get() call.

Node.js Example (fetch API)

Using the built-in fetch API in Node.js (available in recent versions or via polyfill):


async function getCommitMessage() {
  const url = "https://whatthecommit.com/api/r.txt";
  try {
    const response = await fetch(url);
    if (!response.ok) {
      throw new Error(`HTTP error! status: ${response.status}`);
    }
    const commitMessage = await response.text();
    console.log("Commit Message:");
    console.log(commitMessage.trim());
  } catch (error) {
    console.error("Error fetching commit message:", error);
  }
}

getCommitMessage();

This JavaScript example demonstrates an asynchronous function that fetches the commit message. It checks if the response was successful before extracting and printing the plain text content. Like the other examples, no authentication headers are passed in the fetch options.

Security best practices

While What The Commit's API does not require authentication and therefore eliminates many common security concerns related to credential management, adhering to general web security best practices is still important for any application consuming external APIs.

  1. Always Use HTTPS: Ensure all requests to whatthecommit.com use HTTPS. The service itself enforces HTTPS, encrypting data in transit. This prevents eavesdropping and tampering with the commit messages even though they are not sensitive. The Cloudflare guide to SSL/TLS explains the importance of encrypted connections.
  2. Input Validation (Client-Side): Although What The Commit's API doesn't accept input parameters that would typically require validation, if you were to integrate it with a system that takes user input before making an API call (e.g., to influence a future version of the API), always validate and sanitize any user-provided data. This prevents common vulnerabilities like injection attacks if your internal system processes that input.
  3. Error Handling: Implement robust error handling in your application. While the API is generally reliable, network issues or temporary service interruptions can occur. Gracefully handling HTTP status codes other than 200 (e.g., 500 for server errors, 404 if an endpoint changes) ensures your application remains stable.
  4. Rate Limiting (Your Application): Even without explicit API-side rate limits, it's good practice to implement client-side rate limiting or caching if your application makes a very high volume of requests. This can prevent your application from inadvertently overwhelming the server or being flagged for unusual activity, even if a formal policy isn't published. Regularly check the What The Commit homepage for any updated usage policies.
  5. Keep Dependencies Updated: If your application uses libraries or frameworks to make HTTP requests (e.g., requests in Python, axios in JavaScript), ensure these are kept up-to-date. Security vulnerabilities can exist in HTTP client libraries, and updating them patches known issues, as detailed in various Google Cloud security best practices for application development.
  6. Monitor Network Traffic: For critical applications or debugging, monitor the network traffic generated by your API calls. This can help identify unexpected behavior, such as calls to incorrect endpoints or unusual data transfer patterns, although for this specific API, the traffic is minimal and predictable.

By following these general security practices, developers can ensure their integrations with What The Commit remain reliable and secure within their broader application ecosystem, even for a public, unauthenticated API.