This document discusses implementing an external AJAX interface with ForgeRock's OpenIDM identity management solution. It considers using OpenIDM, OpenAM, or OpenDJ APIs. OpenIDM is recommended as it provides the most flexibility with workflow, supporting multiple data stores, and custom endpoints. Security considerations for an internet-facing API include using a reverse proxy to reduce the attack surface and implementing API policies. A middle tier may be useful for business logic, token authentication, and hosting non-identity content. Potential gotchas include protecting OpenIDM with OpenAM and handling detailed user status returns from OpenAM's authentication REST API. The document provides contact information for an identity architect at Nulli to answer any additional questions.