DEV Community: Dawid Makowski

Your AI API, your rules: Introducing Custom AI Job instructions

Dawid Makowski — Thu, 02 Apr 2026 13:26:10 +0000

The problem with one-size-fits-all AI

SharpAPI's endpoints are built to work out of the box. You send a resume, you get a score. You send a job title, you get a description. That's the promise, and it holds for most use cases.

The workaround until now was wrapping our API in your own middleware, manually injecting context before every call. That works, but it's boilerplate you shouldn't have to write.

We shipped a native per-account, per-endpoint instruction system. You write the context once. We inject it into every relevant AI request automatically, at the right layer, without touching your API calls.

How it works

Every SharpAPI account now has a Customize AI Jobs section in the dashboard. It lists all available AI job types grouped by category, from HR and recruitment endpoints to e-commerce and content tools.

For each job type, you can write a free-form instruction. Think of it as a persistent system note to the underlying model: "for every resume scoring request I make, apply these priorities." Once saved and toggled active, that instruction is automatically injected before the AI processes your request.

Step 1: Open the dashboard and go to Customize AI Jobs Find it in the sidebar, right below Custom Workflows. All job types are listed and grouped by category.

Step 2: Expand the endpoint you want to customize Each card has an inline editor. Write your instruction in plain language, no special syntax required.

Step 3: Save and activate You'll see a confirmation prompt before saving, since changing instructions affects your output. Toggle it on, and you're done.

Step 4: Your API calls stay exactly the same No changes to request format, headers, or parameters. The customization happens server-side, invisibly, for every matching request.

What this looks like in practice

Say you're using the Resume Scoring endpoint to screen candidates for a Cloud Architect role. Without a custom prompt, the model scores resumes against a generic template. With one, you can shift those priorities permanently for your account:

Weight cloud certifications (AWS, GCP, Azure) significantly higher than general programming experience. Penalize resumes with no evidence of distributed systems work. Flag any candidate with fewer than 3 years of hands-on infrastructure experience regardless of their total years in software.

Your API call stays unchanged. But behind the scenes, your custom instruction is already baked in. Every candidate's resume is scored against your actual hiring criteria, not a generic baseline.

What you can customize

Tone and style Lock content generation to your brand voice. Formal, conversational, regional, industry-specific -- it's up to you.

Scoring weights Boost or suppress specific signals in scoring endpoints. Relevant for resume scoring, content quality checks, and more.

Output structure Tell the model to always include or exclude certain fields, use specific phrasing, or follow your internal format.

Domain context Give the model background it otherwise wouldn't have: your industry, your audience, your product category.

Note on Custom Workflows: Custom Workflows already support user-defined prompts as a first-class feature. Custom Job Prompts do not apply to Workflow requests -- they're scoped to predefined endpoints only.

Managing your prompts

Action	What it does
Save a prompt	Stores the instruction and activates it immediately
Toggle off	Disables the prompt without deleting it. Default AI behavior restored.
Toggle on	Re-activates a previously saved prompt
Delete	Removes the prompt entirely. Endpoint returns to default behavior.

Every save triggers a confirmation dialog. This is intentional: custom prompts can meaningfully change your outputs, and we want the decision to feel deliberate rather than accidental.

Heads up: Custom prompts are powerful, but they can also produce unexpected results if they conflict with the underlying endpoint logic. If your results start looking off, toggling the prompt off is the fastest way to confirm whether it's the source of the issue.

What this means for teams and integrators

If you're building a product on top of SharpAPI and serving multiple clients, custom prompts let you pre-configure the AI layer for each account without maintaining separate middleware or prompt injection logic on your end. Each account operates independently: one customer's scoring weights don't bleed into another's.

For solo developers, this is simply a way to stop re-writing the same context in every API wrapper you build. Write it once, use it forever, change it whenever your needs shift.

Get started

Custom Job Prompts are available to all accounts with API access. No plan upgrade required. Log into your dashboard, find Customize AI Jobs in the sidebar, and start tuning.

Open Dashboard

The Cloud Is Just Someone Else's Computer. Sometimes That Computer Gets Hit by a Drone.

Dawid Makowski — Tue, 31 Mar 2026 08:58:36 +0000

When "Multi-Region Strategy" Means "Outrunning a Military Conflict"

So last week a military drone blew up the AWS data center where my customer's platform runs. The platform serves millions of users across seven countries. I had to spend about a week moving everything from Bahrain to Europe. By hand. Because every single automated migration tool was also broken. Because, you know, the drones.

I run a software consultancy. I've been in tech long enough to have planned for almost every disaster imaginable. Floods, earthquakes, ransomware, that one guy who drops the production database on a Friday afternoon. "Military drone strike on your cloud provider" was never on the list.

And Bahrain is not an isolated case. Right now, data centers in more than ten countries are being targeted or threatened by either Iranian or russian drones. This isn't a regional incident. It's a global pattern.

And yet, here we are. Welcome to DevOps in 2026.

Disaster Recovery Used to Mean Hurricanes. Now It Means Drones.

If you've worked in infrastructure long enough, you've imagined the disaster scenarios. An earthquake takes out a data center in Tokyo. Hurricane floods a facility in Virginia. Maybe a biblical-scale power outage somewhere in Texas (actually, that one happens pretty regularly). You build for resilience, you plan your failovers, you sleep slightly less terribly at night.

And I don't say "earthquake" lightly. Exactly a year ago, my wife and I were on the top floor of our skyscraper condo in Bangkok when a 7.7 magnitude earthquake hit. One second I was pushing a commit. The next second I was crawling on the floor. The building was swaying two meters each side, and water from the rooftop pool came crashing through into our living room. I still get flashbacks from that. So yes, I understand natural disasters on a very personal, visceral level. I expected those to be the thing that would eventually force me to move servers under pressure.

What I never rehearsed was: "Your entire AWS region is down because a military drone hit all availability zones in Bahrain."

Yet here we are.

In early March, Iranian drones struck multiple AWS facilities across the UAE and Bahrain. This wasn't some theoretical threat model from a security conference whiteboard. This was the first confirmed military attack on a major hyperscale cloud provider's infrastructure. Banking apps went down. Payment systems collapsed. Delivery platforms across the Gulf went dark. And somewhere in Thailand, my phone started buzzing with messages from a very worried customer in Saudi Arabia.

There's No Terraform Module for Surviving a War Zone

Here's what you need to understand about the week that followed: every single automated migration tool AWS provides was broken. CloudWatch, the thing that tells you if your servers are even alive? Gone. RDS Snapshots, the thing you use to back up databases before you touch anything? Unavailable. Cross-region transfer? Dead. AMI copies? Nope.

It was like showing up to a house fire and discovering that not only is your fire truck empty, but someone also stole the hydrant.

So I did what any reasonable engineer would do. I had to rebuilt multiple production environments from scratch, on bare Linux images, in Europe. By hand. For a platform serving millions of users across seven countries. I wrote custom scripts to export, compress, and transfer everything over the public internet (because AWS's own internal backbone between regions was also down). I wrote manual rescue scripts for files that kept failing for days with InternalError. I worked nights because often it was the only window where platform traffic was low enough to safely verify everything.

One week of controlled chaos. And by the end of it, the entire platform was running smoothly from Europe, as if nothing had happened.

But everything had happened.

We're a Software Company. Why Do We Keep Running From Wars?

I could tell this story as a purely technical narrative. Here's the architecture, here's the migration plan, here's the clever script that saved the day. But that would miss the point entirely.

Because here's what my day-to-day actually looks like:

I run a small tech consultancy. We build custom software. We manage cloud infrastructure. We automate businesses with AI workflows. Very normal stuff. And yet somehow, every single person on my team has been touched by war. Not metaphorically. Literally.

I live in Thailand, which recently had skirmishes with Cambodia along the border. My Iranian engineer had to flee Iran with his entire family. One of my coworkers lives in Ukraine, literally in a war zone, delivering code between power cuts because the grid keeps getting hit by Iranian-designed drones. A couple of months ago he went to an immigration office across the border and couldn't come back for days because russians bombed the only bridge on his route home. Another colleague had to evacuate Ukraine with his whole family.

We write code and configure servers. We're not defense contractors. We're not geopolitical analysts. We're developers who just want to ship clean code and go home.

And yet, every week, somewhere on this planet, a conflict reaches through the internet cables and grabs us by the collar.

The Strangest Plot Twist of 2026

And now, in what might be the most unexpected geopolitical crossover episode of the decade: Ukraine is protecting Saudi skies.

Let that sink in for a second. The country that has been fighting for its own survival since 2022, that has become the world's foremost expert on shooting down drones because it had no choice, has just signed defense cooperation agreements with Saudi Arabia, Qatar, and the UAE. Over 200 Ukrainian drone-countering specialists are now deployed across the Gulf, helping defend the very region where my customer's servers used to live.

The same drones that forced me to migrate infrastructure out of Bahrain? Ukraine knows those drones intimately. They've been dealing with their Iranian-made cousins, the Shaheds, for years.

So now the country of my colleague who codes between blackouts is also the country protecting the airspace above my customer's business. If you wrote this as fiction, your editor would tell you it's too on the nose.

Who Else Is Living This?

I can't be the only one. There must be thousands of engineers, sysadmins, CTOs, and DevOps folks out there who have spent the last few years making decisions that no technical manual covers. Moving workloads because of missiles. Rerouting traffic because of sanctions. Keeping systems alive through infrastructure that's being actively targeted.

If you've had to migrate production systems because of armed conflict, I'd love to hear your story.

The New Normal (Which Is Not Normal At All)

Twenty years ago, your biggest infrastructure worry was a hard drive failing or router dropping packets. Ten years ago, it was maybe a ransomware attack. Today, it's a state-sponsored drone strike on your cloud provider's physical data center.

We've entered an era where "disaster recovery" needs to account for actual disasters of the military kind. Where your multi-region strategy isn't just about latency and compliance, it's about geopolitical risk assessment.

The conflicts we see on the news aren't happening "over there" anymore. They're happening inside our dashboards, our uptime monitors, our incident channels. Every single one of us in tech is connected to these events whether we like it or not.

The world got very small, and very complicated, very fast.

Check more at my blog.

Introducing Custom Workflows: Turn Any AI Prompt Into a Production API

Dawid Makowski — Mon, 16 Mar 2026 16:28:07 +0000

Photo by Campaign Creators on Unsplash

Building AI-powered features into your product usually means weeks of backend development, prompt engineering, infrastructure setup, and deployment headaches. What if you could skip all of that and go from an idea to a live REST API endpoint in under 60 seconds?

That is exactly what Custom Workflows delivers. A visual builder in the SharpAPI Dashboard lets you define typed input parameters, write your processing logic as a plain-English prompt, and generate a production-ready API endpoint on the spot. The result is a fully authenticated REST API that accepts your inputs, runs them through the AI model of your choice, and returns structured JSON matching the output schema you defined. No backend code. No deployment pipeline. No infrastructure to manage. Just your idea, instantly available as an endpoint.

The Problem: AI Integration Is Still Too Hard

Every development team has a backlog of AI features they want to build. Extract data from invoices. Classify support tickets. Generate product descriptions. Score leads. Moderate content.

Each of these features follows the same pattern: take some input, send it to an AI model, parse the response, and return structured data. And yet, building each one from scratch means writing boilerplate code, handling API communication with model providers, parsing unpredictable outputs into reliable schemas, setting up async processing for long-running tasks, and deploying the whole thing somewhere.

Custom Workflows eliminates every one of those steps.

How It Works: A 5-Step Visual Builder

The Custom Workflows builder lives right in the SharpAPI Dashboard. It walks you through five straightforward steps:

Step 1: Basic Info. Give your workflow a name and description, then choose your input mode (JSON for structured data or Form-Data for file uploads).

Step 2: Parameters. Define your input parameters with types, labels, default values, and required/optional flags. The system supports the full range of types you would expect: strings, numbers, booleans, arrays, and objects for JSON mode, plus text and file inputs for Form-Data mode.

Step 3: AI Prompt. Write what you want the AI to do, in plain English. No prompt engineering expertise needed. If you are not sure where to start, pick one of the pre-made templates (more on those below) and customize it.

Step 4: Output Schema. Define the JSON structure you want back. Or just click one button and let the AI analyze your workflow context to suggest an optimal schema automatically.

Step 5: Review & Save. Preview everything, activate, and grab your endpoint URL. You are live.

That is the whole process. Five steps, and you have a production API.

What You Get: A Real API, Not a Toy

Every saved workflow immediately becomes a live REST endpoint:

POST /api/v1/custom/{your-workflow-slug}

It uses the same API key authentication (X-API-KEY header) as every other SharpAPI endpoint. No additional setup or configuration.

Processing follows the standard SharpAPI async pattern for reliability at scale. You send a POST request and get back a 202 Accepted with a status_url and job_id. Poll the status URL until the job completes, then retrieve your structured JSON result matching the exact output schema you defined.

Every workflow also exposes a self-describing GET endpoint that returns its complete specification: parameter definitions, types, labels, required flags, defaults, output schema, and endpoint URL. This is perfect for auto-generating client code or feeding into other AI systems that need to understand what your API does.

Type Safety Without the Boilerplate

The parameter system is strict by design. Every input parameter is validated against its declared type before any processing begins. Required parameters must be present. Default values fill in for optional ones. And in JSON mode, unknown parameters are automatically rejected, preventing typos and unexpected inputs from sneaking through.

This gives you the kind of type safety you would normally need backend code to enforce, except you get it for free.

Real-World Use Cases

Here is where it gets practical. Custom Workflows can power a wide range of features across industries:

Document Processing. Upload invoices, contracts, receipts, or forms and extract structured data at scale. Pair Form-Data input mode with a file parameter and you have a document processing API in minutes. Think insurance claim forms, medical records intake, shipping manifests, purchase orders, or tax documents.

Content Analysis. Sentiment analysis, content moderation, tone detection, urgency classification. Feed text in, get structured scores and labels out. Great for analyzing customer reviews, social media mentions, support tickets, survey responses, app store feedback, and forum posts.

Content Generation. Automated email drafts, product descriptions, social media posts, marketing copy. Consistent, on-brand content delivered via API. Use it for personalized outreach emails, SEO meta descriptions, product listing copy for e-commerce catalogs, newsletter sections, ad variations, or localized marketing content.

Data Enrichment. Add AI-powered insights, classifications, and predictions to your existing data pipelines. Plug a Custom Workflow into your ETL process and enrich records as they flow through. Classify CRM leads by intent, tag support conversations by topic, extract skills from resumes, or categorize transactions by spend type.

Risk Assessment. Compliance checking, fraud detection signals, policy violation screening. Get structured risk scores through a simple API call. Screen user-generated content for policy violations, flag suspicious transaction patterns, evaluate vendor contracts for non-standard clauses, or check marketing copy against regulatory guidelines.

Customer Support Automation. Route incoming tickets to the right team, suggest reply templates, extract key details (order numbers, product names, issue categories) from customer messages, or generate first-draft responses for agents to review.

E-commerce & Product. Automate product categorization and tagging, generate comparison tables, extract specs from manufacturer datasheets, translate listings for international storefronts, or normalize product attributes across multiple suppliers.

HR & Recruitment. Parse resumes and extract structured candidate profiles, screen cover letters, generate interview question sets tailored to job descriptions, summarize employee feedback surveys, or classify internal knowledge base articles.

Legal & Finance. Summarize contract clauses, extract key terms and obligations, flag non-standard language in agreements, categorize expense reports, or generate structured abstracts from regulatory filings.

Education & Research. Summarize academic papers, extract citations and key findings, generate quiz questions from study materials, classify research topics, or transform lecture notes into structured outlines.

SDKs for Every Stack

Official SDKs are available for PHP, Laravel, Python, and JavaScript/TypeScript. Browse all Custom Workflow SDK packages on GitHub.

Pricing: No Surprises

Custom Workflows use the same credit-based billing system as every other SharpAPI endpoint. There is no extra charge, no separate pricing tier, no hidden fees. If you have credits, you can run workflows.

The feature is available on all plans, from the free tier up to enterprise. Scale and Enterprise plans include additional support for custom endpoint configuration, dedicated account management, and custom SLAs.

The Numbers

30+ pre-built AI endpoints already available alongside Custom Workflows
Unlimited custom workflows on every plan
99.9% API uptime
SOC 2 Type II certified

Get Started

Custom Workflows is live in the SharpAPI Dashboard right now. Log in, click "Create Workflow," and have your first custom AI endpoint running in under a minute.

Whether you are building a document processing pipeline, adding AI-powered content analysis to your SaaS product, or just prototyping a new feature idea, Custom Workflows gives you the fastest path from concept to production API.

Ready to turn your AI prompts into production endpoints? Head to https://sharpapi.com/custom-workflows and start building.

You Just Gave OpenClaw the Keys to Your Entire Digital Life - on a VPS Server You Don't Know How to Secure

Dawid Makowski — Tue, 24 Feb 2026 15:08:37 +0000

You Put OpenClaw on a VPS. It Has Access to Everything. You Secured None of It. Let's Fix That in 30 Minutes.

This guide was written for the brave souls who saw the OpenClaw hype train, jumped aboard, spun up their first VPS, and then had the terrifying realization that they now need to learn Linux security. You're going to be fine. Probably.

Look, I get it. You saw the hype. You saw the tweets. You saw some guy on Reddit say OpenClaw changed his life, and now you're sitting there at 2 AM with your very first VPS, a fresh install of OpenClaw, and the sudden realization that you just handed an AI assistant the keys to your email, your calendar, your Google Drive, your private documents, and basically your entire digital soul - all running on a server you've never secured before because, well, this is your first server.

Now, let's be fair: a fresh Ubuntu installation isn't actually a house with no doors. Ubuntu ships with sensible defaults - no unnecessary open ports, no sketchy services running, SSH with reasonable settings. Credit where credit is due. But here's the problem: you're not running a fresh Ubuntu installation anymore. You're running OpenClaw on top of it. With plugins. And skills. And extensions. And API keys to everything you own.

Here's a fun fact to help you sleep tonight: every VPS that connects to the internet gets fully port-scanned by automated bots within 10 to 20 minutes. Not hours. Not days. Minutes.

But with OpenClaw and its ecosystem of plugins exposing additional services and APIs? Now you're interesting. And on the internet, you do not want to be interesting.

And look - I'm not here to trash OpenClaw. It's genuinely cool. The AI-assistant-on-your-own-server dream is alive and well. But let's be honest with ourselves for a moment: OpenClaw, plus all of its plugins, skills, and extensions, is not exactly what security researchers would call "airtight." It's more what they'd call "a fun afternoon." The platform is young, moving fast, and the attack surface grows with every skill you install. The real risk isn't Ubuntu's defaults - it's everything you're bolting on top of them.

So since we can't fix OpenClaw's security overnight, let's make damn sure that the server underneath it is locked down tight, so that even if someone finds a vulnerability in a plugin, they hit a brick wall instead of a buffet.

The good news? I recommend Ubuntu for your VPS, and I'm going to walk you through this whole thing step by step.

Why Ubuntu? Because it has a massive community, a mountain of security tools, and - this is the important part - any non-technical noob can harden it in about 30 minutes with proper guidance.

Let's go. And please, for the love of everything, don't close your terminal until I tell you to.

Step 0 - Non-root user

Before we do anything else - if you're still logged in as root like some kind of digital cowboy, we need to fix that immediately. Root is the god account. It can do anything, break anything, and delete anything, including itself.

So let's create a proper user and give it sudo powers:

adduser ubuntu
usermod -aG sudo ubuntu

Now, because typing your password every time you run sudo gets old approximately 4 seconds after the first time, let's set up passwordless sudo. Run visudo and add this line at the very bottom:

ubuntu ALL=(ALL) NOPASSWD:ALL

From this point on, you do everything as ubuntu and use sudo when you need elevated privileges. Think of root as the emergency fire axe behind glass - it's there if you need it, but you shouldn't be casually swinging it around on a Tuesday afternoon.

Now copy your SSH key to the new user (ssh-copy-id or manually paste it into /home/ubuntu/.ssh/authorized_keys), log in as ubuntu in a new terminal to make sure it works, and never log in as root again.

Step 1: Set Your Timezone

Before we do anything dramatic, let's make sure your server knows what time it is. This sounds trivial, but accurate timestamps in your logs are the difference between "I can see exactly when someone broke in" and "something happened... at some point...

dpkg-reconfigure tzdata

Pick your timezone from the menu. It's interactive.

Step 2: Update Everything

Your server shipped with software that was already outdated by the time you clicked "Deploy." Let's fix that.

apt update && apt upgrade -y

This updates all your packages to their latest versions, patching known vulnerabilities. Think of it as putting on pants before leaving the house. Bare minimum.

Now, because we both know you're going to forget to do this regularly (I know you, and I love you, but I know you), let's set up automatic security updates:

apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

This configures your server to automatically install critical security patches without you having to remember. It's like hiring a tiny robot butler whose only job is to lock the doors you keep leaving open.

Step 3: Set Up Ubuntu Pro

Ubuntu Pro gives you expanded security maintenance, kernel live patching, and compliance tools. And here's the kicker - it's free for up to 5 machines.

Go to ubuntu.com/pro, grab your token, and attach it:

pro attach YOUR_TOKEN_HERE

This extends your security coverage and covers thousands of additional packages. It's like getting the extended warranty, except it actually does something.

Step 4: Lock Down SSH

SSH is how you talk to your server. It's also how everyone else tries to talk to your server. By default, it's running on port 22, which is the first port every bot on the internet checks. That's like hiding your house key under the doormat - the one place literally everyone looks first.

Edit your SSH config:

nano /etc/ssh/sshd_config

Here's what your config should look like. I'll explain each line, because I respect you and your journey:

Port 55222                            # Move SSH off the default port. Not foolproof, but stops 90% of really lazy scanners.
LoginGraceTime 2m                     # You get 2 minutes to authenticate. After that, goodbye.
PermitRootLogin no                    # NOBODY logs in as root. Ever. Not even you. Especially you.
MaxAuthTries 5                        # 5 wrong passwords and we hang up on you. Rude? Maybe. Secure? Yes.
PasswordAuthentication no             # No passwords. Period. Keys only. Passwords are the cargo shorts of security.
PermitEmptyPasswords no               # Just... no. Come on.
AllowUsers ubuntu                     # Only the 'ubuntu' user can log in. Everyone else can go home.
X11Forwarding no                      # No graphical forwarding. This is a server, not a gaming PC.
PermitUserEnvironment no              # Don't let users set environment variables through SSH. Trust issues? You bet.
AllowAgentForwarding no               # No SSH agent forwarding. Reduces the risk of key theft.
AllowTcpForwarding no                 # No TCP tunneling through your server. It's not a VPN.
PermitTunnel no                       # Same energy as above. No tunnels.
KbdInteractiveAuthentication yes      # Needed for 2FA (we'll get there, be patient).
ChallengeResponseAuthentication yes   # Also needed for 2FA. The dynamic duo.
AuthenticationMethods publickey,keyboard-interactive  # Key first, then 2FA code. Belt AND suspenders.
UsePAM yes                            # Use PAM for authentication. Required for Google Authenticator.

The key takeaways: We moved the SSH port (so bots can't find it easily), disabled root login (so even if someone gets in, they're not god), killed password authentication (keys only, like a VIP club), and set up the groundwork for two-factor authentication.

Now reload SSH so it actually pays attention to what we just told it:

sshd -t && systemctl reload ssh.service

The sshd -t part tests your config first. If there's a typo, it'll tell you before you lock yourself out. Because locking yourself out of your own server is a very special kind of pain.

⚠️ CRITICAL: Do NOT close your current terminal session yet. Open a NEW terminal and test that you can still connect with your new settings before closing anything.

ssh -i /path/to/your-key -p 55222 ubuntu@your-server-ip

Step 5: Install Fail2Ban

Fail2Ban watches your authentication logs and automatically bans IP addresses that fail to log in too many times. It's basically a nightclub bouncer for your server.

apt install fail2ban -y

Out of the box, Fail2Ban will monitor SSH and ban anyone who fails authentication repeatedly. You can customize the jail settings later, but the defaults are already pretty solid for keeping the riff-raff out.

Think of it this way: Step 4 made it harder to get in. Step 5 makes sure that anyone who keeps trying gets permanently shown the door.

Step 6: Set Up Two-Factor Authentication

This is the big one. This is where we go from "pretty secure" to "okay, now I can actually sleep at night."

Two-factor authentication means that even if someone somehow gets your SSH key (it happens - laptops get stolen, backups get leaked, your cat walks across your keyboard and emails it to someone), they STILL can't get in without the 6-digit code from your phone.

Install Google Authenticator:

apt install libpam-google-authenticator -y

Switch to your ubuntu user and run the setup:

su - ubuntu
google-authenticator

It'll ask you some questions. Here are the correct answers (you're welcome):

Prompt	Answer	Why
Time-based tokens?	y	Time-based is more secure than counter-based
Update .google_authenticator file?	y	This saves your config
Disallow multiple uses?	y	Each code works exactly once
Increase time window?	n	Keep it tight
Rate limiting?	y	Slows down brute-force attempts

It'll show you a QR code. Scan it with Google Authenticator, Authy, or whatever TOTP app you prefer. And for the love of all that is holy, SAVE THE EMERGENCY SCRATCH CODES.

Put them in a password manager (important!). They're your "break glass in case of emergency" codes if you lose your phone.

Configure PAM (this tells SSH to actually use the authenticator):

sudo nano /etc/pam.d/sshd

Add this line at the very top:

auth required pam_google_authenticator.so

And comment out this line (to prevent a double password prompt, which is annoying and unnecessary):

# @include common-auth

Make sure your SSH config has these lines set correctly (most of them should already be right from Step 4):

KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
UsePAM yes
PasswordAuthentication no

Test the config and restart SSH:

sshd -t && systemctl restart ssh

Now test in a NEW terminal (seriously, keep your current session open - are you sensing a pattern here?):

ssh -i /path/to/your-key -p 55222 ubuntu@your-server-ip

Your login flow should now be: SSH key → TOTP verification code → you're in. No password involved. Just your key and your phone. It's like a secret handshake, but actually secure.

Step 7: Monitor Your Logs

Congratulations, your server is now significantly more secure than it was 20 minutes ago. But you need to actually check on things occasionally.

Check your SSH authentication logs:

sudo cat /var/log/auth.log | grep sshd

For live monitoring (great for watching scans/attacks happen in real-time, which is weirdly entertaining):

sudo tail -f /var/log/auth.log

What to look for:

Repeated failed login attempts - Fail2Ban should catch these, but check anyway
Login attempts from unfamiliar IP addresses - If you see IPs you don't recognize, investigate
Unknown usernames - If someone's trying to log in as "admin" or "test," that's a bot
Successful logins at weird hours - If you logged in at 3 AM and you were asleep at 3 AM, we have a problem

Bonus Round: For the Ambitious

If you've made it this far and you're feeling confident (possibly too confident, but I respect the energy), here are two next-level options:

Tailscale

Tailscale creates a private mesh VPN between your devices. Once set up, you can access your server through a private network that isn't exposed to the public internet at all. It's like having a secret tunnel to your server that only you know about. The setup is shockingly simple for something this powerful.

Cloudflare Tunnel

Cloudflare Tunnel lets you expose your OpenClaw instance to the internet without opening ANY inbound ports on your server. Zero. None. The server reaches out to Cloudflare, and Cloudflare handles all incoming traffic. It's like having a P.O. Box for your server - people can send you mail, but they don't know where you live.

Both of these are excellent options if you want to take your security from "solid" to "paranoid, but like, in a healthy way."

Final Thoughts

If you're running OpenClaw on a VPS, you've put your most private digital life on a server connected to the open internet. Your emails. Your calendar. Your documents. Your credentials. All of it sitting there, protected by whatever security you bothered to set up.

Is your server now impenetrable? No. Nothing is impenetrable. But you've gone from being a soft, delicious target to being the server that's maybe not worth the effort today when there are millions of easier ones to hit.

You've got this. Probably. I believe in you. Mostly.

How We Automated Invoice Processing for Our Clients

Dawid Makowski — Mon, 23 Feb 2026 15:11:05 +0000

If you've ever watched a finance team manually key in invoice data from a stack of PDFs, phone photos, and scanned documents, you know the look. It's somewhere between existential dread and quiet resignation. We've seen it across multiple client engagements - fintech, retail, logistics - and the story is always the same. Smart people doing dumb work because the tools they have can't handle the chaos of real invoices.

So we fixed it.

The Problem We Kept Running Into

Across our client projects, invoice processing kept showing up as a bottleneck. Not because the concept is hard, but because the reality is messy. Invoices arrive as pristine PDFs sometimes, sure. But more often they show up as phone photos taken at weird angles with bad lighting, scanned TIFFs from office equipment that should have been retired a decade ago, or flattened PDFs where the text is baked into images and not selectable.

Every off-the-shelf OCR solution we tried would work great on the clean files and fall apart on everything else. And "everything else" is most of what shows up in production.

What We Built

We designed a multi-step AI pipeline that approaches invoice parsing the way a human would -- if that human could process thousands of documents per hour without making mistakes.

Step 1: ML-powered OCR extracts the raw content from the file, regardless of format or quality. This isn't your basic Tesseract setup. It's trained to handle the messy stuff -- crumpled paper, shadows, skewed scans, multi-page documents.

Step 2: AI processing rounds take that raw extraction and run it through multiple validation and structuring passes. This is where the magic happens. The AI identifies what's a line item vs. a header vs. a tax calculation, maps seller and buyer information correctly, and resolves ambiguities that would trip up simpler systems.

The result is a clean, structured JSON object with 100+ data fields covering everything you'd ever need from an invoice: document metadata, seller/buyer details with full addresses, financial breakdowns with tax calculations, individual line items, payment terms, logistics info, e-invoice metadata, and reference numbers.

What It Handles

We built this for the real world, not demo day. That means it works with:

8 file formats: PDF, DOC, DOCX, JPG, JPEG, PNG, TIFF, TIF
Messy phone photos: crumpled paper, bad lighting, weird angles -- the kind of stuff your field teams actually send in
Scanned invoices and flattened PDFs: where the content is images, not selectable text
Multi-page invoices: processes the full document, not just the first page
Multi-currency invoices: extracts currency info, exchange rates, VAT/GST/SST IDs, and country-specific tax details
80+ languages: from English to Japanese to Arabic

How Our Clients Use It

Once we had this working, the use cases multiplied fast:

Accounts payable automation - the obvious one. Invoices come in, structured data comes out, AP workflow picks it up. Processing time goes from minutes per invoice to seconds.

ERP and accounting integration - clean, consistent data piped straight into QuickBooks, Xero, SAP, NetSuite, or whatever the client is running. No more "which field maps to what" conversations with the finance team.

Spend analytics - when every invoice is structured data, building dashboards and running analyses across your entire vendor base becomes trivial. Clients use this to spot trends, negotiate better terms, and flag cost-saving opportunities.

Fraud detection - cross-referencing parsed invoice data against purchase orders and contracts to automatically flag discrepancies before payments go out.

Expense management and compliance - automating expense report validation against company policies and maintaining audit trails without human intervention.

We Made It Available to Everyone

Rather than keep this locked inside client projects, we productized the entire pipeline as part of SharpAPI -- our AI workflow automation API. The Invoice Parsing endpoint is live and available on all plans.

Integration follows the same simple async pattern as all SharpAPI endpoints:

curl --location 'https://sharpapi.com/api/v1/invoice/parse' \
--header 'Accept: application/json' \
-H "Authorization: Bearer YOUR_API_TOKEN" \
--form 'file=@"invoice.pdf"'

POST your file, get a job ID, poll for results. That's it.

And because we know developers hate writing boilerplate HTTP code, there are ready-to-go SDK packages for PHP, Laravel, Node.js, Python, and .NET on GitHub:

Browse Invoice Parsing SDKs on GitHub

Why This Matters for Your Business

Manual invoice processing costs businesses an average of $15-$40 per invoice when you factor in labor, errors, and delays. At scale, that adds up fast. If your team processes a few hundred invoices a month, you're looking at significant savings just by automating the extraction step -- not to mention the reduction in errors that cause payment disputes, compliance issues, and vendor relationship headaches.

We built this because we kept seeing the same problem across different industries and different clients. If your business deals with invoices at any meaningful volume, this is the kind of automation that pays for itself in the first week.

Get Started

Product page: SharpAPI Invoice Parser
Detailed blog post with full response examples: Invoice Parsing API - Extract Structured Data from Any Invoice

Everything runs on SOC 2 Type II certified infrastructure, so your invoice data is handled with the same security standards we maintain across all our client work.

Got a specific invoice processing challenge? Talk to us - whether you need the API integrated into your existing systems or a full custom workflow built around it, that's literally what we do.

Invoice Parsing API - Extract Structured Data from Any Invoice

Dawid Makowski — Sun, 22 Feb 2026 08:41:16 +0000

Photo by Cht Gsml on Unsplash

What It Does

Upload an invoice in any of 8 supported formats (DOC, DOCX, PDF, JPG, JPEG, PNG, TIFF, TIF), and the API extracts and structures the entire document into a comprehensive data object. We're talking seller and buyer details, full financial breakdowns with tax calculations, individual line items, payment terms, logistics info, e-invoice metadata, and reference numbers — all neatly organized and ready for your systems.

And yes, it handles scanned invoices and flattened PDFs where the content is images rather than selectable text. Because in the real world, invoices aren't always pixel-perfect.

Real-World Use Cases

Automated Accounts Payable

Feed invoices directly into your AP workflow. The API extracts vendor details, amounts, due dates, and line items — eliminating manual data entry and reducing processing time from minutes per invoice to seconds.

ERP & Accounting System Integration

Pipe structured invoice data straight into your ERP (SAP, Oracle, NetSuite, QuickBooks, Xero — you name it). No more reconciliation headaches, no more "which field maps to what" conversations. The data comes out clean and consistent every time.

Spend Analytics & Vendor Management

Aggregate invoice data across your entire vendor base to spot spending trends, negotiate better terms, and identify cost-saving opportunities. When every invoice is structured data, building dashboards and running analyses becomes trivial.

Expense Management & Compliance

Automate expense report validation by parsing receipts and invoices. Cross-reference extracted data against company policies, flag anomalies, and maintain a clean audit trail — all without human intervention.

Multi-Currency & Cross-Border Operations

The API extracts currency information, exchange rates, VAT/GST/SST IDs, and country-specific tax details. Perfect for businesses operating across borders that need to handle invoices in multiple currencies and comply with regional tax requirements.

Invoice Verification & Fraud Detection

Compare extracted invoice data against purchase orders, delivery receipts, and contracts. Automatically flag discrepancies in quantities, pricing, or vendor information before payments go out.

How It Works

Like all SharpAPI endpoints, Invoice Parsing follows a simple two-step async pattern:

Step 1: Submit your invoice file via a POST request to https://sharpapi.com/api/v1/finance/parse_invoice. You'll receive a job ID and status URL.

Step 2: Poll the status URL until the job completes. The result contains the full structured invoice data.

curl --location 'https://sharpapi.com/api/v1/finance/parse_invoice' \
--header 'Accept: application/json' \
-H "Authorization: Bearer YOUR_API_TOKEN" \
--form 'file=@"invoice.pdf"'

The response includes over 100 individual data fields organized into logical sections: document metadata, invoice details, references, e-invoice data, seller/buyer information, financials with tax breakdowns, line items, payment terms, and logistics data.

Why This Matters

Manual invoice processing costs businesses an average of $15–$40 per invoice when you factor in labor, errors, and delays. At scale, that adds up fast. By automating the extraction step, you're not just saving time — you're eliminating the single biggest source of AP errors and freeing your team to focus on work that actually requires human judgment.

Get Started

The Invoice Parsing endpoint is available now on all SharpAPI plans. Check out the details of Invoice Parsing for detailed request/response schemas, supported languages, and integration guides.

Your invoices aren't going to parse themselves. Well, actually — now they will.

Integrate faster with SharpAPI SDKs.
Ready-to-use client packages for PHP, Laravel, Node.js, Python, Flutter, and .NET are available on GitHub.
Browse Invoice Parsing SDKs →

Your Penetration Test Report Just Landed. Read This Before You Panic.

Dawid Makowski — Tue, 17 Feb 2026 10:29:04 +0000

I've watched the same movie play out too many times: a management team receives a penetration testing report, sees a wall of findings with scary-sounding names, and immediately assumes their platform is on fire.

It's not on fire. It's almost never on fire.

But the report sure makes it look like it is. And that's the problem I keep running into - not with the platforms, but with how people read these reports.

The Translation Problem

When you're a CTO or an external CTO-as-a-Service advisor, part of the job is translating between the world of security tooling and the world of business decision-making. These two worlds speak very different languages. Security tools speak in volumes of automated findings. Business leaders speak in risk, cost, and "should I be worried right now?"

That gap is where the panic starts.

Over the years I've learned to get ahead of it. Before every VAPT (Vulnerability Assessment and Penetration Testing) cycle, I walk my clients through what to expect from the results - what the findings actually mean, what's noise, and what deserves real attention. It's part education, part expectation management, and part gentle reminder that a 200-page PDF full of findings does not mean the sky is falling. Sometimes it just means the scanner was very thorough and a bit too enthusiastic.

The goal is simple: give non-technical stakeholders the mental framework to read a VAPT report without losing sleep. Because the report is only half of the story. The other half - the part that actually matters - is interpreting those findings in the context of your platform, your architecture, and your specific business requirements.

The Anatomy of a VAPT Report (For Humans)

Here's what most people don't realize about penetration testing: the raw output of any engagement is never the final verdict on your security. It's a starting point for analysis.

VAPT teams rely on automated scanning tools to generate their initial findings. These tools are designed to cast an absurdly wide net. They flag anything that could theoretically be a concern. And I mean anything. Your OAuth integration with Google? Flagged. Your CDN serving static assets from a different domain? Flagged. A cookie that JavaScript can access because your entire framework was literally designed that way? You better believe that's flagged. Any open port on the server, even port 80 or 443? Yup, also flagged.

This isn't a flaw in the process. It's how the process works. The tools are doing their job. The question is what happens next.

The Quality Gap Nobody Talks About

And here's where it gets interesting.

Not all VAPT teams are created equal. In fact, there's a pretty dramatic quality spectrum, and where your team falls on it determines whether you receive a useful, contextualised security assessment or a PDF-shaped anxiety attack.

Budget-oriented teams tend to optimise for volume. They run the tools, collect the output, and forward everything to the client with minimal filtering. The result? A report with dozens - sometimes hundreds - of findings, many of which are informational noise or outright false positives. It looks impressive. It fills a lot of pages. But it creates exactly the kind of alarm that derails productive conversations about actual security.

I've seen reports where the same exact finding was listed separately for every URL on the platform. Same issue, same root cause, same "vulnerability" - just presented 147 times to make the PDF thicker.

More experienced teams - and yes, they typically cost more - invest significant effort in triaging their tool output before presenting it. They separate signal from noise. They tell you what actually matters and why. They cross-reference previous engagement results instead of re-investigating known behaviours from scratch. Their reports are shorter, more accurate, and infinitely more useful. You're paying for judgment, not just scanning hours.

Severity Levels: A Quick Decoder Ring

Every VAPT report categorises findings by severity. Here's the practical translation:

Critical and High - Stop what you're doing and fix these. These represent real, exploitable vulnerabilities. In a well-maintained platform with regular dependency updates, strong authentication, and proper encryption, these should be rare. If your report is full of them, you have a genuine problem. If it has zero, congratulations - that's the goal.

Medium and Low - Read these with a calm mind. They often represent theoretical risks, hardening suggestions, or configuration preferences. Many are informational. Think of them as a security consultant saying "you could also do this" rather than "your house is currently on fire."

Informational - These are diagnostic notes. They describe how your platform behaves. They don't indicate risk. You can acknowledge them and move on.

The number of findings in a report tells you almost nothing about how secure your platform is. A report with 150 findings and zero criticals is a dramatically better result than one with 5 findings and 2 criticals.

False Positives: The Uninvited Guests

Every - and I mean every - VAPT engagement produces false positives. These are findings that automated tools flag as potential issues but which, upon analysis, turn out to be expected framework behaviours, design decisions, or artefacts of the cloud infrastructure itself.

In a recent engagement, we documented over 20 false positives across two reports. The cloud provider's own security infrastructure was triggering alerts during the scan - the scanning tools were essentially detecting the host's defence systems and reporting them as application vulnerabilities. That's like a home inspector flagging your alarm system as a security risk. Technically, something happened. Practically, it's the opposite of a problem.

Context Is Everything

If there's one thing I want people to take away from this, it's this: a VAPT report must always be read in the context of the specific platform it was conducted against.

Security is not a one-size-fits-all discipline. A finding that represents a genuine vulnerability on one platform could be an intentional design decision on another. Session tokens in URLs? Alarming - unless they're part of a standard OAuth handshake with a provider like Google or Twitter, in which case they're temporary, scoped, and exactly where they're supposed to be. Cross-domain script includes? Suspicious - unless they're loading Google's reCAPTCHA or your SSO integration, in which case they're essential.

The report is half of the truth. The contextual analysis is the other half. Without both, you're making decisions based on incomplete information - and in my experience, those decisions tend to lean toward unnecessary panic and wasted remediation effort.

If you have a VAPT cycle coming up, prepare your stakeholders before the report lands. It'll save you a week of damage-control conversations that didn't need to happen.

CVMatchScore.com: A Real-World Showcase of Our Resume Match API

Dawid Makowski — Fri, 09 Jan 2026 12:17:51 +0000

Photo by Nik on Unsplash

We just launched a small thing that accidentally became useful.

It’s called CV Match Score:
https://cvmatchscore.com

The backstory is simple. I kept getting the same question from people building HR tools and workflows:

“Cool endpoint. But what does it actually look like when a real human uses it?”

Fair. JSON is charming, but it doesn’t exactly spark joy.

So we built a tiny, fully functional product that showcases our SharpAPI endpoint in the wild, under real conditions, with real inputs. No screenshots. No “imagine it works like this.” It just works.

Behind the scenes, CV Match Score uses this SharpAPI capability:
https://sharpapi.com/en/catalog/ai/hr-tech/resume-cv-job-match-score

What it does:

You upload a CV.
You paste a job description.
You get a structured match score with explanations that make sense to humans, not just to machines having a meeting about keywords.

Why we built it (beyond our obvious addiction to shipping):

Documentation tells you what an API returns.
A working tool shows you what users feel.
And that’s the difference between “nice endpoint” and “this can be a feature inside my product next week.”

If you’re building:

HR tech products
ATS features
internal screening workflows
recruitment automation

This tool is basically a fast, honest preview of what the endpoint enables when you put a UI in front of it.

Try it, break it, tell us what’s missing!

Fixing Spatie's Laravel ResponseCache to Respect Accept-Language

Dawid Makowski — Thu, 21 Aug 2025 09:18:38 +0000

I’ll be honest. Few things are more frustrating than solving a problem by reaching for a great package… only to realize the problem is still there. That was me last week, yelling at my API like it had just spoiled the finale of a Netflix show.

I was using Spatie’s Laravel ResponseCache package. It’s rock solid, it works out of the box, and it’s built by people I trust. But here’s the kicker: I turned it on in production and suddenly my multilingual API was speaking one language only. The first request cached in English. Every Arabic request after that? Still English.

So here’s what it took to fix it. I hope it will help some lost soul on the internet one day.

Photo by Douglas Lopes on Unsplash

The Problem

Spatie’s ResponseCache builds cache keys from the host, normalized URI, HTTP method, and a suffix (usually the user ID). That works fine most of the time, but it completely ignores request headers like Accept-Language.

Which means:

First request with Accept-Language: en → response cached in English
Second request with Accept-Language: ar → still gets the English version

My API became linguistically challenged.

The Fix: Middleware That Cares About Language

Spatie lets you influence the cache key by setting a per-request attribute called responsecache.cacheNameSuffix. All we have to do is populate it with something that changes when the language changes.

Here’s the middleware I ended up shipping:

<?php

declare(strict_types=1);

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Str;

class SetResponseCacheSuffixFromLanguage
{
    public function handle(Request $request, Closure $next)
    {
        // Take the first language from the Accept-Language header
        $accept = Str::of($request->header('Accept-Language', ''))
            ->before(',')
            ->replace('_', '-')
            ->lower()
            ->value();

        // Add user id if you want to separate caches per user
        $userId = auth()->id();

        $suffix = implode('|', array_filter([$userId, $accept]));
        if ($suffix !== '') {
            $request->attributes->set('responsecache.cacheNameSuffix', $suffix);
        }

        // Optional: add a debug header so you can see what suffix is being used
        $response = $next($request);
        if ($suffix !== '') {
            $response->headers->set('X-ResponseCache-Suffix', $suffix);
        }

        return $response;
    }
}

Registering the Middleware

In Laravel 12, add it globally in bootstrap/app.php:

use App\Http\Middleware\SetResponseCacheSuffixFromLanguage;
use Illuminate\Foundation\Configuration\Middleware;

return Application::configure(basePath: dirname(__DIR__))
    ->withMiddleware(function (Middleware $middleware) {
        $middleware->append(SetResponseCacheSuffixFromLanguage::class);
    })
    ->create();

Now the cache key varies by Accept-Language and you no longer serve Arabic users the English version of your API.

Adding the Vary Header

If you’re running behind AWS ALB or a CDN, make sure your responses include Vary: Accept-Language. Otherwise proxies and browsers might serve the wrong cached version.

Just drop this into the middleware:

$response->headers->set(
    'Vary',
    trim(($response->headers->get('Vary') ?: '') . ', Accept-Language', ', ')
);

Don’t Forget to Clear Old Cache

The existing cache entries are language-agnostic, so clear them once:

php artisan responsecache:clear

How to Prove It Works

Run these two curls and check the header:

curl -H 'Accept-Language: en' https://api.example.com/v1/pages -I | grep X-ResponseCache-Suffix
curl -H 'Accept-Language: ar' https://api.example.com/v1/pages -I | grep X-ResponseCache-Suffix

You should see en vs ar. That’s your proof the cache is now language-aware.

Will be chasing Spatie's team to add this to the package as well, fingers crossed!

Check my personal blog for more tech-related content.

Resume/CV & Job Description Match Scoring Just Got an Upgrade

Dawid Makowski — Thu, 01 May 2025 11:24:57 +0000

All the API endpoint details are available here: Resume/CV Job Match Score API

What Problem Are We Solving?

Let’s face it—traditional resume screening tools often rely on rigid keyword matching. They miss context, nuance, and real-life relevance. And manual screening? It’s time-consuming, inconsistent, and let’s be honest—no one enjoys it.

Our new API brings AI-powered intelligence to resume screening. Instead of just looking for the word “JavaScript,” it asks:

How experienced is this person with JavaScript?
Is that experience relevant to this specific role?
Does their education, project history, or certifications back it up?

In other words, it thinks like a recruiter—but processes results in milliseconds.

How It Works

Just upload a resume file (PDF, DOCX, TXT—you name it) and paste the job description. The API will handle the rest:

Automatically extract relevant data from the CV.
Compare it against the job requirements using 20+ AI-weighted scoring factors.
Return a structured JSON response with both match scores and explanations.

That’s it. You get an instant breakdown of how well a candidate fits your role—no manual guesswork.

Key Features

✅ Real Matching Logic

Goes beyond keywords by evaluating actual job experience, education, technical stacks, methodologies, and more.

📊 20+ Compatibility Parameters

Includes scores for skills, certifications, cultural fit, stability, location preferences, and more.

💬 Built-In Explanation Engine

Get reasoning behind the score—great for recruiters and hiring managers who want transparency.

📡 RESTful API, Developer Friendly

Supports multipart form uploads. You can integrate it into ATS platforms or use it in standalone workflows.

🌍 Supports Localization

Want explanations in French or Spanish? Just set the language parameter.

Sample Use Case

curl --location 'https://sharpapi.com/api/v1/hr/resume_match_score' \
--header 'Accept: application/json' \
-H "Authorization: Bearer YOUR_API_TOKEN" \
--form 'file=@"Resume.pdf"' \
--form 'content="We are hiring a backend developer skilled in Laravel and PostgreSQL..."' \
--form 'language="English"'

Response Example

{
    "data": {
        "type": "api_job_result",
        "id": "2f17d9ef-dcbc-4521-9a20-6d9f41e58de8",
        "attributes": {
            "status": "success",
            "type": "hr_resume_job_match_score",
            "result": {
                "match_scores": {
                    "overall_match": 65,
                    "skills_match": 80,
                    "experience_match": 90,
                    "education_match": 0,
                    "certifications_match": 0,
                    "job_title_relevance": 70,
                    "industry_experience_match": 85,
                    "project_experience_match": 75,
                    "technical_stack_match": 80,
                    "methodologies_match": 60,
                    "soft_skills_match": 75,
                    "language_proficiency_match": 100,
                    "location_preference_match": 50,
                    "remote_work_flexibility": 80,
                    "certifications_training_relevance": 0,
                    "years_experience_weighting": 90,
                    "recent_role_relevance": 60,
                    "management_experience_match": 100,
                    "cultural_fit_potential": 70,
                    "stability_score": 85
                },
                "explanations": {
                    "skills_match": "The candidate has strong PHP and MySQL skills, which align well with the job requirements. However, specific mention of Laravel experience is missing.",
                    "experience_match": "The candidate has over 22 years of programming experience, which is highly relevant and exceeds the typical requirements for the role.",
                    "education_match": "No specific educational background is provided in the resume, making it impossible to assess alignment with job requirements.",
                    "certifications_match": "No certifications are listed in the resume, so alignment with any required certifications cannot be assessed.",
                    "language_proficiency_match": "The candidate has professional working proficiency in English, which matches the job requirement for English communication skills."
                }
            }
        }
    }
}

Who Should Use This API?

This API is ideal for:

HR tech platforms looking to boost their matching capabilities
Recruitment agencies automating pre-screening
Hiring managers who want fast, data-backed insights
ATS systems needing a plug-and-play enhancement

Final Thoughts

This isn’t just another endpoint. It’s a shift in how we approach early-stage hiring decisions—automated, structured, and powered by AI.

Try it. Plug it into your workflow. Let the machine do the matchwork.

🧠 Smarter hires start here.

📌 Explore the API endpoint Docs →

📌 AI Resume & Job Description Matching for Laravel

Vibe Coding Is Fun—But Vibe Refactoring Pays the Bills

Dawid Makowski — Sat, 26 Apr 2025 14:33:42 +0000

There’s a lot of hype about vibe coding—that moment when caffeine hits, your playlist slaps, and you hammer out code like a jazz drummer sprinting through a solo. It’s exhilarating, but relying on that adrenaline burst is like funding your retirement with scratch-offs.

So let’s flip the script to something that actually compounds: vibe refactoring. Same spontaneous energy, but aimed at shrinking technical debt and sharpening your architecture instead of amping up the commit count.

A Quick Setup

Block 15–20 minutes on your calendar. No ticket, no KPI, no “reduce cyclomatic complexity by 13.7 %” targets. Just a promise to poke around your codebase with beginner eyes.

Step-by-Step (a.k.a. How the Magic Happens)

Open the IDE and wander Pretend you cloned this repo yesterday. Warnings and TODOs suddenly look less like background noise and more like neon signs that say “Fix me, champ.” Clear a few of those—you’ll feel lighter already.
Let the IDE nag you Hover over the yellow squiggles. Remove the unused imports, tame the long methods, rename the variable that’s secretly been haunting you since 2019. Each micro-win is a quick dopamine hit.
Run [repomix](https://repomix.com/) (formerly repopack) This bundles context so large-language models can actually understand your project’s ecosystem instead of hallucinating a new service layer “for funsies.”
Chat with an LLM Drop a knotty function into your favorite model and ask: “Any cleaner way to handle this?” or “Spot an N+1 query?” or “Got an indexing tip for this desperate JOIN?” It’s brutally honest rubber-duck debugging—and it never rolls its eyes.
Follow the rabbit hole A “quick” fix often blossoms into a two-hour code spa. Let it. Today’s detour is tomorrow’s velocity boost.

What You’ll Gain (Besides a Self-Esteem Spike)

Compounding quality: Tiny weekly tweaks snowball into major stability over months.
Faster deployments: Fewer regressions means release day stops feeling like Russian roulette.
Happier teammates: A clean codebase is onboarding heaven—no more haunted-house tours for new hires.
Satisfied customers: Snappier queries and smoother UX, even if they can’t pinpoint why things suddenly feel better.

Keep It Light, Keep It Weekly

No formal goals, no pressure. Cue your favorite playlist, celebrate micro-wins in Slack (GIFs encouraged), and rotate refactor buddies so fresh eyes stay fresh. This is maintenance rebranded as exploration—curiosity, but profitable.

Final Thought

Vibe coding gives you adrenaline.

Vibe refactoring gives you longevity.

Block the time, wander through the code, and watch the compound interest kick in. Do it once and you’ll feel lighter; do it every week and you’ll wonder how you ever shipped without it.

ChatGPT is Bullshit: Why Your AI Buddy Might Be Bluffing

Dawid Makowski — Thu, 27 Mar 2025 07:27:17 +0000

Alright, folks, let’s chat about why ChatGPT sometimes sounds like it’s confidently bluffing its way through a poker game it barely understands. We’re talking about a study by Michael Townsen Hicks, James Humphries, and Joe Slater titled “ChatGPT is Bullshit.” Yes, that’s the actual title. Let’s dig in.

It’s Not Lying, It’s Just BS-ing

The study suggests that ChatGPT isn’t lying or hallucinating—it’s simply bullshitting. It doesn’t care about being right; it cares about sounding like it knows what it’s talking about. Think of it as your one friend who’s always got a factoid, but you’re 80% sure they’re making it up as they go.

Truth? Who Needs It?

ChatGPT’s job isn’t to deliver the truth; it’s to deliver something that feels truthy. It’s all about the vibe, not the validity. Like when you’re in an argument, and you drop a line that just sounds like it should win the debate, even if you have no idea what you’re saying.

It’s a Probability Party

Behind the scenes, ChatGPT is basically just guessing which word should come next based on probabilities. It’s not checking facts—it’s rolling the dice. Sometimes it’s a winning hand, and other times… well, you get a sentence that sounds like it came from the Twilight Zone.

Why It Matters

The authors argue that calling ChatGPT’s mistakes “hallucinations” is misleading. It’s not seeing things that aren’t there—it’s just spouting out BS because it doesn’t actually care if what it’s saying is true or not. It’s like that person who can’t admit they’re wrong, so they just keep doubling down.

BS Isn’t Harmless

Here’s the kicker: This kind of BS isn’t just harmless fun. When people mistake ChatGPT’s confident nonsense for actual truth, things can go sideways—fast. Just ask the lawyer who cited fake cases ChatGPT made up. Oops.

Final Thought

So, next time ChatGPT tells you something wild, remember: It’s not lying, it’s just a smooth talker who’s really good at pretending to know what’s up. Let’s keep that in mind when we ask it for advice.

Check out the full study here for the juicy details: ChatGPT is Bullshit.

Source