OpenAI continues to improve in both it's models and it's applicability to essentially everything we...
Trustpilot brings businesses and consumers together through the power of reviews. Their online platform is a leader in the space with over 320 million total reviews. To extend value for merchants on their platform, they provide extensive API capabilities for integration with other tooling, improving SEO and user experience, and enhancing customer service.
Focused on the best experience for their API consumers, the decision was made to leverage Bruno collections in a public Github repository due to general security posture and the ability to version directly in git .
In this post, we explore why supplying a collection is critical for user adoption and why Trustpilot felt leveraging Bruno was the best solution.
Reducing Time to First Call (TTFC)
Providing API access to your users or customers has become table stakes, and it's not uncommon to hear that vendor selection was heavily based on ease of API integration. Due to this, the time it takes for a user to make their first call to your API - or even better, have a meaningful output - is often seen as the most important metric for a public API.
Outside of browsing your website and documentation, a developer's judgement gets serious when trying to make the first call to your API. For this reason, having a way to both understand and interact with an API has become more heavily adopted in recent years. Offering a collection consumable in an API client reduces setup time, adds a layer of familiarity, and provides more of a real-world feel than just a dummy sandbox setup.
Trustpilot skillfully recognized this need and advantage, and had been providing collections in various ways over the years through their documentation and support resources.
Security Concerns
Trustpilot was using Postman for quite some time to share API executables and documentation, but recently became concerned with the potential security risk posed for both internal and external users of these collections.
The intent behind providing collections is easing the evaluation of your API for a developer and providing a good experience. When you suggest a using a certain tool, in part, it is an extension of your own product or brand. Many developers have turned away from other API clients due to requiring a login and storage of your information in their cloud. To recommend using this tool could have a negative reflection on your own security posture or policy.
Just last month, CloudSEK released the findings from a year long investigation that surfaced over 30,000 public collections with leaked credentials. This could mean that nearly 1 in 10 public Postman collections has leaked sensitive information.
"In most instances, these collections included access tokens, refresh tokens, third-party API keys, and even test or demo user data from organizations of various sizes and across different industries."
- CloudSEK
Shockingly, this is even higher than Truffle Security Co.'s study from April 2024 estimating 4,000 leaked credentials. released a study claiming that Postman's Public API Network may be "one of the largest public sources of leaked secrets", estimating that more than 4,000 live credentials were exposed at the time of their writing.
"We estimate over 4,000 live credentials are currently leaking publicly on Postman for a variety of popular SaaS and cloud providers."
- Truffle Security Co
With these concerns in mind, Trustpilot came across Bruno which seemed like an obvious choice due to being a fully-local API Client that has no concept of a cloud sync or even a login.
Recommending Bruno for both internal use as well as for API consumers from a security standpoint was a no brainer.
Versioning Capabilities
Although Git is the collaboration and storage mechanism for all other areas of software development, historically, API clients have used cloud workspace constructs similar to Google Drive. Unfortunately, this means that there is a fundamental struggle with versioning, as the collections that test, document, or monitor the API live so far away from the code itself.
"Having a public Bruno collection on Github is much easier to access, whether that's internally or external."
This struggle increases when external users come into the mix and are using collections exported or downloaded from a website without a way to reach back and update them in any normal manner. In the mindset of reducing TTFC, if your API consumer has an outdated collection then there is a near zero chance at success.
Bruno’s architectural difference is that collections are stored locally, directly on your file system. This is what allows any Git provider to ingest the collections, and then you’re able to perform GitOps against the collections as you would anything else.
The team at Trustpilot immediately recognized the benefits of not only being able to better version their collections, but also bring this process closer to the developer's existing day-to-day workflow.
Migration to Bruno
Switching any tooling, especially outward-facing, can seem daunting. Fortunately, Bruno can import collections from other API Clients and automatically translate items like tests and scripts. Trustpilot engineers reported a smooth migration and praised Bruno’s usability and security.
"Creating a functioning Bruno collection that could be utilised by all our engineers was seamless and works as well as Postman."
Bruno also offers migration services if there are any issues you encounter when making the switch from another tooling provider. You can contact our sales team to discuss your current implementation and options for migrating to Bruno.
Trustpilot's Bruno Collection
The Trustpilot team now maintains a public Github repository containing Bruno collections for all of their APIs. Once cloning the repo into Bruno, you can have confidence that the collection can be kept up to date by simply pulling down new changes.
The collection contains 11 core functions of the API:
Let’s get started! 🚀
Getting Started with the Trustpilot API Collection in Bruno
To begin, you’ll need to download and install Bruno, which is available for Windows, macOS, and Linux.
Once installed, you’ll fetch 🐶 the API collection for Trustpilot.
Step 1: Clone the Repo from GitHub into Bruno
Clone the public GitHub repository containing Trustpilot’s Bruno Collections.
Open the collection in Bruno. If you’re unfamiliar with Git, you can follow these instructions on cloning a repository.
Step 2: Set Up the Environment
-
The collection already includes an environment named
trustpilot.com, so you're able to simply enter your own values for relevant variables:
- Obtain your Trustpilot API key by logging into your Trustpilot Business account and navigating to the API Integration section.
Exploring the Trustpilot API Using Bruno
The Trustpilot API is organized into several endpoints, including reviews, invitations, business units, and more. Each endpoint in the collection includes all possible request methods (e.g., GET, POST) and parameters. Trustpilot has their own walkthrough here if you prefer.
Example: Fetching Business Units Reviews
To fetch reviews for a business unit, follow these steps:
-
Navigate to the Business Units API folder
-
Select the Get a business unit's reviews request.
-
Ensure there is a
businessUnitIdparameter either entered or pulled from a variable. -
Click Send.
If everything is set up correctly, you’ll receive a response containing reviews for the specified business unit. Bruno’s response viewer makes it easy to analyze and understand the data.
Example: Creating Review Invitations
To create an invitation for customer reviews:
-
Navigate to the Invitation API folder.
-
Select the Create Invitations (private) request.
-
Ensure there is a
businessUnitIdparameter either entered or pulled from a variable. -
Fill in the request body with customer details, such as email and name.
-
Click Send.
You’ll receive a confirmation that the invitation has been successfully created. This can be used to streamline your review collection process.
Why Use Bruno?
Here’s why developers love using Bruno:
| Feature | Bruno | Other API Clients |
|---|---|---|
| Pricing | Open Source & Affordable Paid Plans | Free & Expensive Paid Plans |
| Data Storage | Local-First | Requires Cloud Sync |
| Collaboration | Native Git Integration | Cloud-Based Sharing |
| UI/UX | Clean, Modern Interface | Complex, Bloated |
Bruno Advantages
-
Local-First: All data is stored locally, ensuring faster and more secure workflows.
-
Git Integration: Sync, version, and collaborate with your team using Git.
-
Open Source: Full control over the tool, with contributions from the community.
-
Lightweight: Fast and simple, focused solely on API development.
Summary
Using Bruno to test and explore the Trustpilot API is a straightforward and powerful way to streamline your workflows. The collection provided by the Trustpilot team makes it dead simple to set up authentication, prototype, and test your integrations.
With Bruno, you can:
-
Authenticate requests using your Trustpilot API key and secret.
-
Explore endpoints for reviews, invitations, and business units.
-
Build simple or advanced API workflows.
We’re excited to see what you build using Trustpilot and Bruno! If you have any feedback for the Trustpilot team, open an issue on their repo or tweet @TrustieSupport!
