DEV Community

Cover image for The Cat That Changed API Rules
Skapi
Skapi

Posted on

The Cat That Changed API Rules

#webdev #programming #api #security

How a meme app improved Skapi’s backend logic (and made our cat very happy)

It started as a joke.

We wanted to make a tiny web app called “Should I Feed the Cat?” - a pixel-art voting game where anyone could click YES or NO, watch the scores rise in real time, and decide the fate of a digital cat.

But that dumb little cat ended up exposing something much bigger: a flaw in how we handled public data submission.

The meme cat web app in question:

meme cat

In the process, this little web application changed how Skapi, our secure backend platform, works.

The Problem: Login Walls vs. Public Data

Originally, Skapi was designed with strict security in mind.

Everything a user sent to the database had to come from a logged-in session. That made sense for apps dealing with sensitive or user-specific data, things like notes, messages, or private uploads.

But for our cat game, this was absurd.

Did we really need to force people to sign up and log in just to click “YES, feed the cat”?

The cat didn’t care who you were.
It just wanted food.

Yet our system said:

“postRecord(): Login is required.”

That was the moment we realized something was off. The world needed a way to collect anonymous, public data safely.

When Security is a Problem

“Should I Feed the Cat?” was supposed to be a lighthearted test of Skapi’s frontend integration.

We added:

  • Pixel-style cats (waiting, happy, dead)
  • Eye blinks and tear animations
  • Confetti explosions for 10,000 “YES” votes
  • Thunderstorms if the “NO” side wins

Each visitor could spam votes as much as they wanted.
It was chaotic, hilarious, and strangely addictive.

But when we deployed it, reality hit:
No one could vote unless they logged in.

The backend was doing its job — protecting data integrity — but in this case, the protection was the problem.

We wanted people to interact instantly and just have fun without login.

The Breakthrough: Public postRecord()

That’s when we realized something powerful.

We could safely open part of Skapi’s data system to public anonymous writes, without exposing user data or compromising backend security.

How?

By allowing the postRecord() method to accept submissions from unauthenticated users when writing to public tables.

Here’s how it looked like:

await skapi.postRecord({ nickname, choice }, {
  table: 'cat_votes_open',
  index: { name: `choice.${choice}`, value: 1 }
});
Enter fullscreen mode Exit fullscreen mode

It’s easy to just let anonymous users post data to a backend, but doing it safely was the hard part.

We needed a way to ensure that anonymous users couldn’t access restricted tables or modify anyone else’s data.

Normally, Skapi enforces permissions using profile information from a user’s JWT token. But since anonymous users don’t have one, Skapi now generates a randomized, temporary security hash derived from each client’s public address.

Behind the scenes, Skapi also fully separates public tables from restricted tables, ensuring that anonymous submissions can only write new records but never edits or deletes existing ones. Each anonymous client is tracked as its own isolated device identity, allowing open participation without compromising data integrity or security.

That’s it. No login. No auth token. The cat finally got fed.

Under the hood, Skapi still handles all security:

  • Public tables are isolated from private ones.
  • No user data is exposed.
  • The backend validates every request.

Rate limits and data shape protections still apply.
In short — anyone can submit data, but no one can break the system.

Technical Key of Viral Web Apps

This isn’t just about a cat. It’s about lowering friction in web apps that rely on public engagement.

Think:

  • Polls & surveys
  • Comment walls
  • Feedback widgets
  • Micro games
  • Anonymous reactions

For all these, forcing logins just kills the vibe.
But letting the world interact freely, while keeping the backend secure, is how you make lightweight, viral apps that spread fast.

With this Skapi update, developers can now collect public, anonymous data safely.

That’s something few backends do right.

Secure vs. Accessible Web Application

Our little meme experiment revealed a gap between “secure” and “accessible.” And fixing it made Skapi better for everyone.

Now, anyone can use skapi.postRecord() to collect open data, whether it’s a public poll, an art project, or a crowdsourced idea board.

We built a cat game. The cat changed our API.

Try It Yourself

If you want to play (or feed the cat), you can check it out here: https://shouldifeedthecat.skapi.com/, or build your own version in minutes.

Here’s the minimal setup:

<script src="https://cdn.jsdelivr.net/npm/skapi-js@latest/dist/skapi.js"></script>
<script>
  const skapi = new Skapi("ap22wwR5jAtDMh1XdihI", "35dc3959-adff-4b97-9c91-a3cedd7a8b76");
  async function vote(choice) {
    await skapi.postRecord({ choice }, {
      table: 'public_votes',
      index: { name: `choice.${choice}`, value: 1 }
    });
  }
</script>
Enter fullscreen mode Exit fullscreen mode

That’s how a real backend logic with zero setup works.

Follow us on socials: X, YouTube, Instagram, LinkedIn. More tutorials, code drops, and dev hacks are coming soon.

Top comments (0)