I don’t see any security reasons to expose the plain database ID in your API.
If your database is exposed you have lost anyways. Security through obscurity is never a solution.
However, there are some other reasons to consider:
-
Exposing the database ID creates a coupling to your database. Imagine merging data from different databases (sharing the same schema), or applying backup data to an already in use database. There will be no guarantee that the same ID’s will still be available.
-
Designing a proper Resource based API requires you to expose universally unique ids (UUID) or a technical composite key for the simple reason that there is no other way to ensure uniqueness across different systems/databases.