Databases
StackOverflow2013
Postsdbo
POJavaScript API SDK security
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POJavaScript API SDK security
    text
    copied!<p>I have developed an API for my new service and am in process of developing SDKs (php, ruby and JavaScript) for this API. </p> <p>Some of the calls to API are open to public, but some require API key and API secret. My question is, how do I make sure that people can hide their key and secret from world while using JavaScript API.</p> <p>I would Imagine the call something like:</p> <pre><code>jQuery.ajax({ url:'http://api.domain.com/v1/display/', data: {offset:0, limit:0, apiKey:'apikeynotlikelogin',apiSecret:'apisecretlikepassword'}, success: function(data){ alert(data); } }); </code></pre> <p>But almost everyone these days know that if they open firebug or even simplier ctrl+shift+j in chrome, they can see the code together with all information above. I have considered many options, but it seems to me like there is just no way how to hide apiKey and apiSecret on front-end. </p> <p>Any suggestions? There must be a way Im sure.</p> <p>Thanks!</p> <p>EDIT:</p> <p>Thanks everyone for answers and trying to solve the issue. Here are some of the answers and why is still not what I need:</p> <ol> <li><p>Using domain name in the request to make sure its from the correct client. This is valid suggestion, but still could be quite easily faked</p></li> <li><p>Generating unique key for each call This seems to be more advanced, but again I found it not usable for my case. I need to authorize the "App" (thats what people register in system in order to get credentials and authorize to API) because users will have different levels of privacy set and according to those clients will be served with result.</p></li> </ol> <p>So If I cam make client to first call "handshake" to get the session unique key, but then again (either in handshake or next request), client has to send his apiKey and apiSecret in order to authorize to API and get the correct result (according to policies etc.) So at the end, it is exactly the same as without the handshake request, anyone who knows the apiKey and apiSecret could first call handshake and then the authorization. Hope it makes sense</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload