Here's how to successfully authenticate a JWT supplied by Auth0.

Once your user has authenticated with Auth0, they will be given an accessToken and an idToken. Only the idToken is needed for our purposes.

It will look something like this:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFiYzEyMyJ9.eyJnaXZlbl9uYW1lIjoiSm8iLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJuaWNrbmFtZSI6IkpvVGVzdCIsIm5hbWUiOiJKbyBMZSBUZXN0IiwicGljdHVyZSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vam8ucG5nIiwidXBkYXRlZF9hdCI6IjIwMjYtMDQtMjhUMTM6NTk6NTUuNjcxWiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJpc3MiOiJodHRwczovL2V4YW1wbGUuZXUuYXV0aDAuY29tLyIsImF1ZCI6ImFiYzEyMyIsInN1YiI6ImZhY2Vib29rfDEyMzQ1NiIsImlhdCI6MTc3NzM4NDc5NiwiZXhwIjoxNzc3NDIwNzk2LCJzaWQiOiJhYmMxMjMtNDU2LWRlZmdoaWprIiwibm9uY2UiOiIxMjM0NTY3ODkwIn0.ZgnZxOOtfczLewlm_agK6mJMYetVTZrHlBlu5qzXbADlhvZB8RraVuFKmFutLZLibMQxz_RY0oh4hRufVWDHJ0kuocW38kRHztDg7R5KOfvJEM46WW49xvhLhKprzkx9WXDDlpCRNL0QbBK2U0F1VjmRpTp1Q5cHEd8PBsa4rGAhfqudXp5JrC2Lm5e7ji0AQ_s7HJhy59b9mTb3tMqHGsrWDZS915zHPYEQtSvg5o9sSx1tCRfsyL6kdsdkaTffQjJDUrT5hpIQ-2_9tGuqioJjP4c0edQ85TaK9UnSxfzMQ8gYez963kbo_Iv1fJyaTVwXR-AVvwK-CeGJAFrheQ

Yeuch! If you stick it into JWT.io you'll see that it is Base64 encoded JSON containing a header, body, and signature. Each part is separated by a . character.

You could manually decode it, but that's a bit of a pain in the arse. So here's how to do it with the Auth0 PHP library. I'm using the Symfony one, but it should all be fairly similar.

First, import the library:

use Auth0\SDK\Auth0;

Next, you'll need to send the token to the PHP. You can do this in a header, GET, or similar:

$authHeader = $request->headers->get("Auth0-Authorization");

Then, set up Auth0 so that it can parse and validate the token:

try {
    $token = $authHeader;
    $auth0 = new Auth0([
        "domain"       => $_ENV["AUTH0_DOMAIN"],
        "clientId"     => $_ENV["AUTH0_CLIENT_ID"],
        "clientSecret" => $_ENV["AUTH0_CLIENT_SECRET"],
        "cookieSecret" => "_"   //  Dummy value.
    ]);

    $decoded = $auth0->decode(
        token: $token,
        tokenType: \Auth0\SDK\Token::TYPE_ID_TOKEN,
    );
} catch (\Exception $e) {
    error_log("Auth0 Error - {$e}");
}

The cookieSecret must be set - even though you aren't using cookies. Any non-null value is fine.

The tokenType must also be set correctly.

Assuming you all goes well, you will have a decoded object which has validated against Auth0. So how do you get the user's details from it?

Well, you could split the original idToken at the period character and Base64 decode the middle one. Try it now to see what it contains! Or print_r() the decoded token to see it in all its cryptographic glory.

The easiest way is to do:

$claims = $decoded->toArray();

Then you can access various properties by doing:

$username   = $claims["nickname"];
$identifier = $claims["sub"]; 

Perhaps there is a more official way - but I couldn't find anything in the documentation. Hurrah for reading source code!

The fact is, individuals are often targeted for espionage, blackmail, or other state-sponsored attacks.

Here's a list of some of the different advice I've received, roughly sorted into levels of suitability. Start at the top and work your way down until you reach a suitable level.

USB sticks? No thanks!

At some point, you'll be given a gift of a decorative USB pen drive. It'll either be part of a goodie-bag or you'll be told it has all of this quarter's TPS reports on it.

You should thank them for their kind gift. On your way back to the hotel, drop the stick in a bin.

There's just too much which can go wrong with a USB stick. Maybe it has a virus. Maybe it is an exfiltration device. Maybe it has extreme pornography and the police will catch you with it. Just chuck it. If anyone asks, say you couldn't get it to work and can they please email you the information.

USB Power? Play it safe!

USB powers everything from your phone and laptop, to your headphone and eReader. But USB cables also carry data. Some devices can be silently hacked by plugging them in to a dodgy power port.

Is it likely that the USB socket on the airport bus has been set up to exfiltrate travellers' data? Probably not - but why take the risk?

The best thing you can do is to always charge from your own device. Get a travel charger or, ideally, a portable battery and only use that for charging.

For extra paranoia, you can buy USB condoms and charging-only cables - but they tend to be slower at charging.

Reduce Your App Attack Surface

Do you need all those apps on your phone? Will you cope without your banking apps, dating apps, streaming apps? Each one is a potential vector for abuse.

Is it legal for you to date your preferred romantic partner in your intended destination? You shouldn't have to hide yourself, but having an illegal app on your phone is a great way to get picked up by the police.

Go through your phone and uninstall anything which isn't important to the trip.

A VPN probably draws more attention than it is worth, but browse cautiously

This is slightly counter-intuitive. Every important site on the web uses HTTPS. The really important ones are on a special list which means your browser will only use a secure connection. The chances of your data being intercepted is minimal.

But using a VPN immediately makes your traffic look suspicious and, in some countries, may be illegal.

That said, while the contents of your communications will be private, their destination is easy to figure out. Don't browse pornography or any other site which is liable to get you in trouble. This may include news sites from outside the country.

What passwords do you need?

Hopefully you use a password manager - and hopefully all your passwords are unique. But do you really need to carry around all of them? You password manager almost certainly allows you to create a sub-account into which you can deposit anything you need for your trip.

Similarly, you don't need all your MFA codes with you. If you do need MFA please make sure it isn't coming through SMS.

They're not flirting with you.

Mate, you're a middle-aged sales rep who scored a trip to a conference in an exotic country. Do you really think that pretty young thing is enthralled by your tales of middle-management?

No.

At best, the photos will be used to blackmail you. At worst the police will claim that they're under the age of consent and that will be used to blackmail you.

Laptops and Liability

Your IT team has provided you with a laptop which is encrypted and biometrically secured, right? But do you need that specific laptop?

They should grab a cheap laptop. Fill it with only the documents you need. When you get back home, toss it.

I'm quite serious, a £200 Chromebook is a cheap price to pay to prevent your secrets getting stolen or your network being infiltrated.

What Else?

Possibly you think some of these are overkill. Perhaps you think I'm not being paranoid enough. What would you add to the list?

Here's a trivial example:

<svg height="100" viewBox="0 0 100 100" width="100" xmlns="http://www.w3.org/2000/svg">
   <circle cx="50" cy="50"  fill="#fff" r="100"/>
</svg>

That code produces this circle:

You could print that out with a kilometre radius and it would still be a perfect circle - unlike a traditional raster image which is just a grid of blocky pixels.

But suppose you wanted to freely share your SVG with others - and ensure that they also freely share it. What sort of "Copyleft" licence would you give it?

Creative Commons

The obvious choice seems to be a Creative Commons Share-Alike licence. SVGs are images. Images are creative works. Creative Commons is suitable for creative works. Job done!

But…

SVGs are not images. The are code which produce images. If we assume that an SVG is software, this entry in the FAQ becomes relevant:

Can I apply a Creative Commons license to software?

We recommend against using Creative Commons licenses for software.

[…]

Unlike software-specific licenses, CC licenses do not contain specific terms about the distribution of source code, which is often important to ensuring the free reuse and modifiability of software.

[…]

Additionally, our licenses are currently not compatible with the major software licenses, so it would be difficult to integrate CC-licensed work with other free software. Existing software licenses were designed specifically for use with software and offer a similar set of rights to the Creative Commons licenses.

At the end of that FAQ, they also say:

While we recommend against using a CC license on software itself, CC licenses may be used for software documentation, as well as for separate artistic elements such as game art or music.

So, that's a perhaps?

GPL

But let us assume that an SVG is a piece of media rather than software. Would it be suitable to use a software licence for it?

The various Gnu Public Licences have this to say:

Can I use the GPL for something other than software?

You can apply the GPL to any kind of work, as long as it is clear what constitutes the “source code” for the work. The GPL defines this as the preferred form of the work for making changes in it.

A photo JPEG might be derived from the RAW image file. In which case, the RAW is suitable for being GPL'd, not the resultant JPEG.

Similarly, the Photoshop file of a complex and multi-layered illustration would suitable, but not the outputted PNG.

An SVG can straddle both worlds. It's possible to build an SVG with layers, groups, and transformations, and then simplify it for output. You could edit the optimised version, but it's hardly the preferred format.

I read the GPL (so you don't have to) and right at the start it says:

The GNU General Public License is a free, copyleft license for software and other kinds of works.

(Emphasis added.)

But do they mean that?

Licenses for Other Types of Works

[…]

We don't take the position that artistic or entertainment works must be free, but if you want to make one free, we recommend the Free Art License.

But, as delightful as the Free Art License is, the FSF say:

Please don't use it for software or documentation, since it is incompatible with the GNU GPL and with the GNU FDL.

Is an SVG software or not?

I think so.

• It's written in plain text.
• It contains definitions, variables, and instructions.
• It can contain scripting.

That sure looks like software to me!

But, at the same time, the user experiences it as a graphic. An animated GIF, for example, contains a small amount of code-like data to say how long each frame should last for and when to stop running. Is a GIF software? Is the basic circle above software? How much code do you need before something becomes software?

Are SVGs Libraries?

Licences like the LGPL and MPL allow copyleft libraries to be integrated into non-free software.

A proprietary application could treat an SVG as a library by asking the SVG to render the output and then displaying that. A bit of a reach, perhaps?

What about embedded raster graphics?

Just to complicate things, an SVG can also contain raster graphics. That is, it is possible to embed a PNG, JPEG, or any other traditional image within an SVG.

In this case, the embedded image can be Creative Commons licenced because CC BY-SA is compatible with GPLv3.

When someone creates an adaptation of a BY-SA licensed work and includes it in a GPLv3-licensed project, both licenses apply and downstream users must comply with both licenses. However, Section 2(a)(5)(B) of BY-SA 4.0 allows anyone who receives the adapted material downstream to satisfy the conditions of both BY-SA and GPLv3 (i.e. attribution and ShareAlike) in the manner dictated by the GPLv3.

(Emphasis added.)

The barest of SVGs containing only an embedded image probably wouldn't count as software. But what if you started applying programmatic transformations to them? This SVG embeds an image and uses software to rotate it upside down.

<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="64" height="64">
  <image x="0" y="0" width="64" height="64"
    transform="rotate(180)"
    href="data:image/png;base64,iVB…" />
</svg>

Is that enough code to count as software?

Wisdom of the Crowds

I conducted a rigorously accurate public survey. Here are the results:

Post by @Edent@mastodon.social

View on Mastodon

Final Thoughts

Personally, I think SVGs are software. I understand the argument that they're suitable for Creative Commons, but I disagree with it. Even the simplest SVG is distributed in a way that its contents are executed by the computer.

While SVGs may be minified and stripped of comments, they still retain the essence of source code. I suppose you could try to obfuscate them, or package them up in a quasi-binary form, but I maintain the source is still viewable and editable.

If you choose to use a Creative Commons Share-Alike licence, it probably won't cause any harm. But given CC's reluctance to endorse its use on software, it probably makes sense to use a copyleft source-code licence.

Much like the misquote about Ringo not being the best drummer in The Beatles, I think this might be one of those semi-apocryphal lines which has taken on a life of its own.

Here's what Paul McCartney has to say in The Beatles Anthology, Episode 4.

That was broadcast in 1995 - so we need to look for sources from before that.

There's not much Internet before the mid-1990s. Google's mismanagement of the USENET archives is a cultural obscenity. Nevertheless, we can find a few references which predate McCartney's broadcast.

1994-12-26

Frankie used to introduce "Something" as his "tribute to Mr. Lennon and Mr. McCartney" ;^)

1990-03-05

In fact, a friend of mine (a supposed Beatle fan; turns out she's really just a L/M fan), were having a discussion about this very subject, she, just like Frank Sinatra, didn't know that George wrote "Something." Duh.

So it was certainly a proto-meme back then.

Of the thousands of Beatles books, I can't find any from before the mid-1990s which mention Sinatra's misattribution.

For example, 1994's The Complete Guide to the Music of the Beatles simply says:

Similarly, there are plenty of books and articles about Sinatra - lots of them talk about Something, but never this supposed misrepresentation. In 1980's New York Magazine, Sinatra is interviewed and says:

There are many videos of Sinatra singing Something on YouTube - none of them have him introducing the song as a Lennon/McCartney number.

Indeed, here's one where he introduces it as being by George Harrison.

I think that's 1982's The Concert for the Americas - in the Dominican Republic.

Here's a 1985 concert where he introduces it as being by George Harrison of The Beatles.

Way back in 1978 at Sinatra's Caesar’s Palace Concert, he introduces it with "George Harrison wrote it" and finishes with "by George Harrison".

Even back in 1975, during a concert in Jerusalem he was crediting Harrison, saying:

Every one of The Beatles was a very talented young man individually. And here's an example of George Harrison with a great love song."

I've now listened to dozens of recordings of Sinatra singing Something live and in none of them does he so much as mention John Lennon or Paul McCartney.

So is the quote apocryphal? Possibly not!

Less than a year after John Lennon was murdered, Sinatra treated Carnegie Hall⁰ to a series of 11 concerts.

On 10th September 1981, John Rockwell published Pop: Sinatra at Carnegie - a review of the opening night of Sinatra's concert series at New York City's Carnegie Hall:

Also on the 10th, a clutch of US papers reproduced a story by the inimitable Mary Campbell of the Associated Press.

Most of the syndicated versions leave out the parenthetical remarks.

On the 11th, Patricia O'Haire published a somewhat snide review of the September 9th concert in The New York Daily News

On 14th September 1981, a British newspaper re-reported the comment:

That's the Daily Express by Rob Benson, their Los Angeles correspondent¹.

By the 29th of September 1981, the story had made it to Australian Financial Times' The Bulletin.

It's unclear how many of those journalists were actually at the concert. I assume John Rockwell, Mary Campbell, and Patricia O'Haire were as they published fairly detailed reviews.

Tracking down a set-list for that long-gone concert is tricky. Carnegie Hall themselves get the dates wrong in their archive and say the first performance was on the 8th, and their set-list is sourced from Setlist.fm rather than their own records. The Sinatraphiles mailing list has a set-list for the 9th which does include "Something".

There's a purported recording of the September 10th concert with a set-list on the reverse:

There's no "Lennon" song - the only Beatles number is "Something". Let's take a listen to the introduction from that bootleg recording.

"A beautiful song by George Harrison. Maybe one of the best love songs ever written."²

So, that's a handful of contemporary sources who mention that Frank Sinatra once introduced "Something" as being composed by someone other than Harrison.

The only recording is of the concert the next day - and it doesn't includes that "blooper".

There's no other mentions I can find which directly cite a specific concert or performance.

Did Sinatra ever say it was his "favourite Lennon and McCartney song"? He sang in thousands of shows³, not all of which were recorded⁴, so it is entirely possible he mentioned it. But you'd expect more than a few reporters would write about it, wouldn't you?

The origin of the "quote", as far as I can tell, is from an interview Paul McCartney gave to David Hinckley in the New York Daily News on 21st October 1984.

That's the first time that I can see "Something" mentioned as Sinatra's "favorite Lennon-McCartney song".

I went rummaging through some reviews of Frank's concert performance which included "Something" in the set list.

His concert at the Palladium:

And Frank sings 'Something'. It's OK. The Vanilla Fudge were more adept at Beatle rewrites however.

Chris Salewicz. "Frank Sinatra: Palladium, London". New Musical Express (1975).

His concert at the Royal Albert Hall:

Superb renditions of Jim Webb's 'Didn't We?' and Harrison's 'Something' were recreated with a totally unique empathy. "Real Songs, beautiful songs", he said fervently, no trace of show-biz cant.

Max Bell. "Frank Sinatra: Royal Albert Hall, London". New Musical Express (1975).

And another report of the same gig:

Jimmy Webb's 'Didn't We' and the classic 'Nice And Easy', were exceptionally good, standing out easily among lacklustre renditions of 'Something', 'Strangers In The Night' and a David Gates song. In between, Sinatra delivered various controversial raps designed to instigate audience loyalties but proved that Sinatra should open his mouth only when singing.

Barbara Charone. "Frank Sinatra: Royal Albert Hall, London". Sounds (1975).

I've read dozens of gig reviews of old Sinatra concerts and they all contain various levels of snark about his performance, song choice, and politics - so you'd expect British reporters would have picked up on the misattribution, wouldn't you?

Instead, there's two slightly contradictory reports of one single concert and no suggestion that Sinatra himself said it was his "favorite Lennon-McCartney song". Given that he repeatedly credited George Harrison in the decade leading up to that concert, I think it is fair to say the "quote" has taken on a significance far beyond its actual importance.

If you have a recording of Sinatra introducing "Something" as a Lennon/McCartney number - or any other contemporary reports of that - please drop a comment in the box.

History

Let's do some history!

This is 1978's "HOST NAMES ON-LINE". Early Internet standards described the - character as "minus" rather than hyphen.

RFC 608

up to 48 characters drawn from the alphabet (A-Z),

digits (0-9), and the minus sign (-) ... specifically, no blank or space characters allowed;

no distinction between upper and lower case letters;

the first character is a letter;

the last character is NOT a minus sign;

no other restrictions on content or syntax.

So, originally, you could have as many hyphens as you wanted after the first symbol - which had to be a letter. The last symbol had to be a letter or number⁰.

That was later formalised in 1981's "DoD INTERNET HOST TABLE SPECIFICATION"

RFC 810 GRAMMATICAL HOST TABLE SPECIFICATION

<name> ::= <let>[*[<let-or-digit-or-hyphen>]<let-or-digit>]

That's carried in the the slightly more modern RFC 952.

By the time we hit 1987, the word "minus" has gone. Note, there are no restrictions on the number of hyphens - just as long as your domain name doesn't start or end with one¹.

RFC 1035 2.3.1. Preferred name syntax

The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen.

By 1989, the "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" was tweaked again:

RFC 1123 2. GENERAL ISSUES

The syntax of a legal Internet host name was specified in RFC-952. One aspect of host name syntax is hereby changed: the restriction on the first character is relaxed to allow either a letter or a digit. Host software MUST support this more liberal syntax.

And, from then on, things stayed pretty stable until the futuristic year 2010. That was when Internationalised Domain Names (IDN) became available. They use the xn-- string at the start of the name so, the spec now says:

RFC 5891 4.2.3.1. Hyphen Restrictions

The Unicode string MUST NOT contain "--" (two consecutive hyphens) in the third and fourth character positions and MUST NOT start or end with a "-" (hyphen).

What they really mean is that "--" is banned in position 3 & 4 unless the first two characters are "xn"².

So, in theory, you can have up to 59 consecutive hyphens by ensuring that they start in position 4 and end at position 62.

Something like abc---[…]---z.com should be fine.

OR IS IT?!?!?

TLD Restrictions

There's what the RFC's say, and what a Top Level Domain (TLD) will allow. The Registry (the organisation which administers the TLD) may set their own, more restrictive, policies. Some will ban naughty words, or refuse IDN registrations, or prevent impersonation of Public Suffix domain, etc.

For example, South Sudan's .ss policies refuse to allow any hyphens.

Nominet, who run the .uk Registry, don't have any restrictions on the use of hyphens other than refusing to register xn-- domains.

But, in general, you can register multi-hyphened domain names with most Registries.

Anomalies

Of course, the mighty Internet mostly runs on spit and hope³. Naturally there are going to be mistakes, glitches, exceptions, and anomalies.

My delightful friend Q Misell had a rummage through her archives and helped track down some of the domain names which violate the modern rules. It's somewhat difficult to query every domain name, nevertheless, there are hundreds of multi-hyphened domains lurking within DNS.

Some, like ok--computer.com are long dead, but some are still active⁴!

Possibly the most consecutive hyphens belongs to http://a-------------------------------------------------------------a.com/

Sixty-one hyphens! The maximum possible, and it still works! The website looks like it hasn't been updated since it was first registered in 2000.

But what about more modern domains? The spookily named http://zz--icann-monitoring.uk/ was registered in 2024 - long after the rules were updated. But as Nominet doesn't allow xn-- domains, I guess it is fine?

There are some domains like bq--3bhauz7frjrgbka.com which look like they were pseudo-randomly generated. Perhaps as command-and-control servers?

Here's a quick table showing some of the ones Q found:

Note, "Live" just means an HTTP request returned something. There may, of course, be other services running on that domain, or on subdomains.

So What?

Without a full list of every domain name, it's rather hard to draw firm conclusions. But, in the absence of anything better to do, here are some thoughts.

• Most people don't want multiple consecutive hyphens in their domain names. They're unwieldy but mostly not prohibited.
• If the authors of RFC 5891 had access to a full list of domains, might they have chosen a different syntax for Punycode?
• Why is it so hard to look through every single registered domain name anyway? Even Certificate Logs no longer seem to be easily searchable.
• Are there any other weird restrictions which are violated by older domain names?
• When will DNS finally go all-in with Unicode rather than this kludge? (Probably around the same time as IPv6 adoption!)

If you know of any weird multi-hyphenated domains, please stick a comment in the box 😊

Update! A kind anonymous benefactor has shared a list of eighty-four thousand domains with multiple hyphens. There are some very odd entries in there.

For some reason, lots of Chinese manufacturers don't like publishing updates on their websites. Instead they supplied me with a link to a Google Drive containing an instruction PDF and an small .exe with the 2.4.06 update - no love for us Linux freaks. I've locally linked them if you want to install.

Through online chatter, I thought the latest version was v4.0, but Treedix said:

Your device is currently running software version 2.3 and can be updated to the latest available version, v2.4.06. However, please note that version v4.0 includes minor hardware updates. Due to hardware incompatibility, existing devices cannot be upgraded to v4.0 via software.

So, do be careful running this update. Make sure it is for the right version of the device. If in doubt, contact Treedix directly.

Upgrading was easy.

1. Switch on the Treedix by flicking the switch up.
2. Plug a USB-C cable into the charging port of the Treedix.
3. Connect the other end of the USB cable to your computer.
4. On your computer, open the .exe.
5. On the Treedix, hold down the function button.
6. While holding down the function button, flick the Treedix switch to off.
7. The upgrade program should detect the device.
8. On your computer, click "Upgrade"
9. Wait until complete before disconnecting and restarting the Treedix.

There are no release notes, but it does now appear to correctly read some of the more advanced eMarkers.

Is that dream dead? If so, what killed it?

A decade ago, I posted a plea looking for Easy APIs Without Authentication with a follow up post two years later. I wanted some resources that students could use with minimal fuss. Are any of the APIs from 10 years ago still alive?

Alive

These ones are still around:

• Wikipedia - Yes! Still going strong.
• Police.uk - Yes! After a brief dalliance with API registration, it is now back to being completely free and open.
• Google Books ISBN - Yes! Obviously Google have forgotten it exists; otherwise it would have been killed off by now!
• iTunes Lookup - Yes! Possibly the only thing Apple don't charge a premium for.
• Pokémon API - and still receiving frequent updates.
• MusicBrainz - this Internet stalwart will never die.
• Open Notify - a collection of space APIs, although the code hasn't been updated in ages.

Dead

These have shuffled off this mortal coil:

• BBC Radio 1 - No.
• Twitter URL statistics - LOLSOB No.
• Star Wars API - No.
• British National Bibliography - No. Dead due, I think to the British Library's cyber attack.
• Football Data - gone.

API Key Required

These are still alive, but you either need to pay or register to use them:

• Google Location
• Spotify
• OpenMovieDB
• Open Air Quality

What Happened?

Something something … enshittification … blah blah … zero interest rate phenomenon … yadda yadda our incredible journey …

But back in the land of rationality, I've had a lots of experiences running APIs and helping people who run them. The closure and lockdown of APIs usually comes down to one or more of the following.

APIs cost money to run. Yes, even the static ones have a non-zero cost. That's fine if you're prepared to endless subsidise them - but it is hard to justify if there's no return on investment. Anyway, who is using all this bandwidth? Which leads on to:

Lack of analytics. Yes, I know tracking is the devil, but it is hard to build a service if you don't know who is using it. Sure, you can see traffic, but you can't tell if it is useful to the end consumer, or what value you can share. There's no way to communicate with an anonymous consumer. Which, of course, takes us to the next barrier:

Communication is key. If you need to change your API, there's no way to tell users that a change is coming. That might be the announcement of a deprecation, an outage, or an enhancement. You can try smuggling error messages into your responses and hoping someone notices a failing service somewhere - but it's much easier to email everyone who has an API key. And you know what else keys are good for?

Stopping abuse. It'd be nice if everyone played nice online; but some people are raging arseholes. Being able to throttle bad actors (figuratively or literally) is a desirable feature. On a resource constrained service, you sometimes have to put rules in place.

Still, if you know of any good open APIs which don't require registration, and that you think will survive until 2036, please drop a link in the comments.