[question] API address, prefixed with app type subdomain vs global (prefixed with "mail" subdomain)

[vladimiry]

Is there a difference if I use "mail"-prefixed API address, like https://mail.proton.me/api, for all apps (mail/calendar/drive/account/vpn) vs using the API address prefixed with app type subdomain for each app (https://mail.proton.me/api, https://calendar.proton.me/api, https://drive.proton.me/api, etc) which is a default behavior for the in-browser clients (relative to page origin API address, ie /api)?

For my need, it's easier to use a single mail.proton.me/api-like address to all apps, but I'm interested are there any negative implications? Like if you run/deploy different backend versions for each service independently, and so using for example the https://mail.proton.me/api address on "calendar" app won't be a good idea since "calendar" app requires own/specific backend.

Currently, used API addresses, global for all apps (mail/calendar/drive/account/vpn):

• https://mail.proton.me/api
• https://mail.protonmail.com/api
• https://app.protonmail.ch/api
• https://mail.protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/api

CC @mmso / @bartbutler

[bartbutler]

Today, usually there's no difference, but in the future there will be, so for the sake of not breaking things I strongly encourage use of the separate domains for separate purposes. Also, the /api formulation largely exists to avoid CORS issues. If you can instead use mail-api.protonmail, calendar-api.proton.me, etc (without the /api please) then that would be preferred for us.

[vladimiry]

If you can instead use mail-api.protonmail, calendar-api.proton.me, etc

The <app-type>-api-like subdomains don't seem to exist on protonmail.ch and protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion domains (related #248).

[vladimiry]

The -api-like subdomains don't seem to exist on protonmail.ch and protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion domains (related #248).

My bad, it exists on protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion, proton.me and protonmail.com domains, but not on protonmail.ch.

Does it mean that protonmail.ch domain support for API purposes is going to be stopped soon?

[bartbutler]

Yes, and eventually also protonmail.com. So please use either proton.me and Tor. -api subdomains.

[vladimiry]

Thanks for the support. Very helpful.

[bartbutler]

You're welcome (edited)!

[vladimiry]

If you can instead use mail-api.protonmail, calendar-api.proton.me, etc

@bartbutler there is an issue with set-cookie headers on some requests.

For example, https://mail-api.protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/auth/cookies request sets the REFRESH- record with path=/api/auth/refresh and AUTH- record with path=/api/ and so the consequent requests end up with 401 error since we don't use /api/ prefix for calling the API (and so the AUTH cookie doesn't get applied for the consequent requests), but <app-type>-api subdomain (notice auth call was made via /auth/cookies, without /api/ but via subdomain).

It's not a big problem since it's easy for me to modify some cookies before sending them to a browser, but it generally looks like a room for improvement.

[vladimiry]

If you can instead use mail-api.protonmail, calendar-api.proton.me, etc

The upcoming ElectronMail v5.0.0 release coming with <app-type>-api subdomain API address use. I had to remove the possible /api prefix from the cookie.path as described in the previous message.