July update

18 Jul '20 • 2 min read

Setting up a business

Hyko is now a limited company! 🎉

blog post

It was suprisingly easy to do. We were approved within 24 hours and it cost us £12.

And look, we’ve got shares, two of them!

blog post

Ten minutes later, we had a business account set up (shout out to Monzo Business) and nabbed the @HykoAPI twitter handle. Not sure why you’d want to, but you can follow us on companies house if you like. We’re feeling tremendously serious and important.

Website spruce-up

I’ve been giving the site a bit of a spruce, so we have something to show off. Soon we’ll have a page for API documentation that we can work on and use to show off.

I’m currently looking through a few tools for our docs. Options are:

  • Slate, which looks neat and uses markdown files. It’s free and Monzo use it.
  • GitBook, which is more like a knowledge management platform. It looks super slick but it’s a bit pricy. I’m planning to chat to them to see if we can get it cheap / free if we’re only using it for one user.
  • Swagger, which auto-generates API docs from your code (big plus), but looks a bit meh. There are some tools out there to convert Swagger files to Slate docs, but at this point I think I’d rather focus on other things than faff around with that. But if you’re reading this and have an idea about how this can be done reliably I’d be keen to hear your suggestions!

After having a play around with Swagger and being a little dissapointed by the output, I decided to throw up something on Slate for now while I’m waiting for GitBook to get back to me.

You can check out our API docs here 👀

blog post

If you want to have a go at auto-generating API docs with Swagger from Go code, I wrote a little how-to here.

API design

Our API should comply with the SCIM specification to make it easier for our clients to work with.

It’s essentailly a standard for managing user identities to make integrations a little less painful.

Charlie’s been heroically reading through some of the SCIM RFCs so we can make sure our API is on point.

We’ve also been reading up on OAuth 2.0, which we plan to use for authorization.


We’ve been thinking more and more about security. If we intend on holding data on employees, we need to seriously assess the risks of that data being compromised and implement appropriate controls.

We’d love to get penetration tested from a CREST-approved provider as soon as we’re ready to onboard some customers. They’re pretty pricy (around £1k per day 😱), but worth it for the confidence they’ll give in our clients and feedback we’ll get to patch any vulnerabilities.

Also looking into the government recommended Cyber Essentials certification, though it’s £300 and I’m not sure it’ll provide insights half as useful as we’d get from a penetration test.

Written by Naz

Book a demo