alt Hacker NewsSo what you meant is not to expose the primary key?
That’s a more reasonable statement but I still don’t agree. This feels like one of those “best practices” that people apply without thinking and create pointless complexity.
Don’t expose your primary key if there is a reason to separate your primary key from the externally-exposed key. If your primary key is the form that you want to expose, then you should just expose the primary key. e.g. If your primary key is a UUID, and you create a separate UUID just to expose publicly, you have most likely added useless complexity to your system.
> create pointless complexity
My exact thought.
A lot else has failed in your system, from access control to API design, if this becomes a problem. Security by obscurity isn’t the answer.
If the only thing between an attacker and your DB is that they can’t guess the IDs you’re already in some serious trouble.