I'm using the OpenTok .js API to build a web app.
The TokBox "Security Best Practices" doc (https://tokbox.com/developer/guides/security/#best-practices) says "Keep the API key and secret private and secure"
I can keep the API "secret" out of the browser app, but as far as I can tell, the API Key has to be available to the browser, in order to make calls to OT.initSession().
Am I missing something, or is the TokBox documentation just misleading?
Manik here from the OpenTok team.
You are correct, the API Key will be available on the client side (browser, mobile device, etc) as expected. This is not an issue because you need the API Key & API Secret combination to be able to create sessions, generate tokens, etc.
For security purposes, you should not expose the combination of API Key and API Secret.
Related
I have added a non-renewable subscription for one of my projects. We also started implementing the Google play developer API to get the subscription latest status from the Play Store. For that we have done the below steps as per this blog:
Linked the developer account to a new Google Cloud Project.
Enabled the Google Play Developer API for the Google Cloud Project.
Created a service account and created a key for the service account.
I have below clarifications related to this implementation:
I tried to Grant Access for the following permissions: But the corresponding checkmark is not clickable.
View financial data, orders, and cancellation survey responses
Manage orders and subscriptions
The 3rd step as per the blog is to Authorize an API key, but I didn't get a clear idea of that.
We are going to implement this API on the back end side as a corn job, do we need to generate a JWT token for accessing this API? Is this possible to call without a Token? I found 2 types of implementations from this blog, which one is easy and secure?
"Your application can complete these tasks either by using the Google APIs client library for your language or by directly interacting with the OAuth 2.0 system using HTTP."
From where we get the get API path and other details. I found a similar get API from AppStore like this. Is the play store providing a similar kind of get API?
We need the latest purchase status API and for that what parameters do we need to pass?
I have a website that use Nuxt for server render and deployed using Cloud Run.
It pulls the YouTube videos of a channel using the YouTube Data API key and pre-rendered it before send to the browser. This is for SEO purpose.
Currently I using the API key restriction option HTTP referrers (web sites) to only allow access from my website.
But on the server when it pre-rendered the API is blocked.
Is there a good solution to add the referrer and allow for Cloud Run to use the API key?
I found a solution which is in my opinion is not the best yet.
I have 2 separate key Youtube API server and Youtube API web.
server key has no restriction
web key is restrict to HTTP referrers (web sites)
In my Nuxt app, when query for server side render, I use the server key. Then when it passed to client side. It use the web key.
This way I protect the "no restriction" key.
I'm not sure any better solution but I imagine in the future, server key without restrictions can be use for multiple services other than Youtube API and only server side have access to that key.
I need to list/change the Google API key restriction by Google API or CI.
I tried to add HTTP referrer restriction to Google API key by Node JS API or gcloud CI, but I only got to list the "service account keys, however I need to list and change the "API keys".
Currently, is possible add restriction by the Google Cloud Console, but like I need to change the API key restriction many times I need to automate this.
You cannot; there is no public API for managing API Keys (or OAuth client IDs).
Consider filing a feature request on Google's public issue tracker (link)
I want to integrate gmail and google calendar in my web application. I can login via google and make api calls to either gmail OR google calendar API, depending on the authorisation that I request from google.
I have not found a way to request authorisation for more than one APIs simultaneously. Is this even possible? Is it possible to receive one access token in order to use it for requests against more than one of Google's APIs?
As far as I know it can be done. If you try testing it in Google Oauth 2.0 Playground and select multiple API scopes.
"scope": "https://www.googleapis.com/auth/calendar https://mail.google.com/ https://www.googleapis.com/auth/drive"
It should look like this:
Hope this helps.
everyone. I'm recently learning OAuth authentication. I'm playing around with google's oauth api. In the tutorial for Google Sign-In for server-side apps, in the third step - Initialize the GoogleAuth object, you need to provide the client id to initialize the GoogleAuth object. I'm just wondering if we need to keep the client id secret because right now anyone can find out what the client id is by looking into the javascript.
You don't need to hide the client ID, provided that you restricted access to specific JavaScript origins and redirect URI's on the server side. See more details on this Quora thread or this IETF thread.