Reject requests that don't contain a valid User Agent string

[monfresh]

Look into libraries that validate user agent strings.

[ycombinator]

I'm curious: what is the use case for the API requiring a valid user agent string or a user agent string at all? Not saying this is unnecessary or wrong; just curious what use case it satisfies. Thanks.

[monfresh]

It makes it easy to identify the application in case of errors. I borrowed this feature from GitHub's API:

All API requests MUST include a valid User-Agent header. 
Requests with no User-Agent header will be rejected. 
We request that you use your GitHub username, 
or the name of your application, for the User-Agent header value. 
This allows us to contact you if there are problems.

[ycombinator]

Got it, thanks! Interesting solution for the use case. Another solution for this same use case that I've seen in the past is to identify the application via the api_key or app_id or similar parameter.

[monfresh]

We support both requests without an X-API-Token header and those with one. If a valid token is not present, the requests are limited to 60 per hour. Otherwise, 5000 per hour. If the token is not there, we can use the user-agent for identification.