Why an auto-publishing API needs its own design
Once a personal blog starts using automation to create and publish articles, the normal admin form is no longer enough. Admin pages are designed for humans. A publishing API is designed for scripts. Mixing the two usually leads to broad permissions, unclear logs, and failures that are hard to diagnose.
A reliable Flask publishing API should answer five questions: how the caller is authenticated, how the article payload is validated, what happens when publishing fails, how URLs stay stable, and how the system confirms that the article really reached production.
Use a separate token for machine access
Automation should not store an admin username and password. A safer pattern is a dedicated API endpoint protected by a bearer token:
POST /api/articles/publish
Authorization: Bearer <AUTO_PUBLISH_TOKEN>
The token belongs in environment variables, not in source code. The server keeps AUTO_PUBLISH_TOKEN in its .env file, and the automation environment stores the same value. If the token ever needs to be rotated, you replace the environment variable without changing the admin account.
Inside the Flask app, compare tokens with a constant-time function:
import secrets
secrets.compare_digest(supplied_token, expected_token)
Validate the JSON payload before saving
Generated content should not be trusted just because it comes from your own automation. The API should verify that the title is present, the summary fits the database limit, the Markdown body is not empty, the category is valid, the status is one of the allowed values, and tags are provided as a list.
Clear responses matter. Use 400 for invalid payloads, 401 for authentication failures, and 409 for database conflicts. Good error boundaries make automation logs useful.
Keep slugs ASCII-only
Chinese titles are fine, but URL slugs should be ASCII. Different terminals, logs, search submission tools, and HTTP clients display non-ASCII paths differently. That makes debugging harder than it needs to be.
A simple pattern works well:
flask-auto-publish-token-retry-check-zh
flask-auto-publish-token-retry-check-en
Use separate slugs for Chinese and English versions. Add -zh or -cn for Chinese, and -en for English.
Retry network failures, not bad requests
Retries are useful for temporary failures such as connection resets, timeouts, or a brief 502. They are not useful for invalid JSON, missing tokens, or empty content. A publishing script should treat these differently.
A practical rule is simple: fail fast on most 4xx errors, but retry once for network errors and 5xx responses. Print the retry attempt and wait time so the log explains what happened.
Verify the article after publishing
A successful API response should include the article ID, slug, status, and title. The script can use the slug to build the public URL and then check that the URL returns 200 for published articles.
For deeper checks, query the latest production rows:
select id, status, slug, title, published_at
from article
order by id desc
limit 20;
This catches the common case where the automation ran locally but did not write to the online database.
Submit only after the page is stable
After publishing, wait 10 to 30 minutes before submitting the URL or sitemap to search platforms. That gives the page, sitemap, and caches time to settle. If Baidu or Google credentials are missing, the script should report the missing configuration instead of pretending the submission succeeded.
Summary
A Flask blog publishing API does not need to be complicated, but it does need clear boundaries. Let humans use the admin panel. Let automation use a token-protected API. Validate JSON before saving, use ASCII slugs, retry only recoverable failures, and verify the production result. That turns auto-publishing from a hopeful script into a maintainable workflow.