Well, for one, the information isn't passed back in the best way. For example, when creating a new user using the API, the entire website is passed back, instead of one or two variables with information stating that the command was processed, and a status code. If one were to use DirectAdmin in large capacity, with the API being called constantly, this could place unnecessary strain on the server.
Here is a couple of examples of APIs that pass back information properly:
http://developer.37signals.com/basecamp/
Basecamp uses XML, which is quickly becoming the standard for APIs. It would be easier to write API classes for DirectAdmin in languages other than PHP for DirectAdmin with XML. Here's an example of a conceptual request in XML for DA:
(Let's assume that the URL request structure doesn't change..)
Request: /CMD_API_CREATE_USER
Code:
<request>
<user>
<username>#{username}</username>
<email>#{email}</email>
<password>#{password}</password>
<password-confirmation>#{password}</password-confirmation>
<domain>#{domain}</domain>
<package-id>#{package}</package-id>
<ip>#{ip}</ip>
<notify>#{true|false}</notify>
</user>
</request>
API should be disabled by default, and enabled only by administrators. This could possibly increase DirectAdmin's security.
On the topic of security, I believe that DirectAdmin should implement something like an "API key" that administrators have to generate inside DirectAdmin. Use the concept of Authorize.net as an example. They give you a User ID and an API key, instead of the username's actual login password. This could potentially save from their login passwords being intercepted and cracked.
Then, there are error codes that could be passed back with the XML. Instead of sending an entire web page back with some text in the middle that we have to interpret using any variety of methods in any language (e.g., "strpos($result, "Please enter your Username and Password")" in PHP), you could just build a standard list of error codes! Here is an example of Digg's error codes:
http://apidoc.digg.com/Errors#ErrorCodesandMessages
This is also useful if the language varies per user, as an error number never changes.
Code:
GET /CMD_API_CREATE_USER HTTP/1.1
Host: example.server.com
Accept: */*
...
HTTP/1.1 403 Forbidden
Content-Type: text/xml;charset=UTF-8
Content-Length: 71
<error code="1000" message="Cannot login without username and password" />
Let's discuss this! I am not bashing anyone, and maybe this API works for some. I just think the DirectAdmin developers should be open to making their API better, more secure, and definitely more efficient. Cheers!