Javascript and APIKey
jf26028
Registered Users Posts: 9 Beginner grinner
I am working on doing some stuff using the json api and javascript without the help of a php/asp.net server script. In order to call the smugmug apis on the client, I have to include my api key for all the world to see. Is this a security risk, from smugmug's point of view? Should this be avoided, or is it perfectly fine?
Just trying to get a best practice down, I guess.
Jesse Foster | jf26028
Just trying to get a best practice down, I guess.
Jesse Foster | jf26028
0
Comments
*as I understand it* the API key is a unique identifier that Smug can use to track API calls to a specific product.
So for example, if I create the product "PictureBrowser Extreme Plus Ultimate Series" and use API Key b23123323223blah Smug would be able to pull stats and see that "Wow, we had 20k API calls this month for the PBEPUS product!
That being said, if you embed your API Key in your JS, and some nefarious user decides to start using it himself for his own product or API calls... it's a lot of hoops to jump through (First the user would need to want your API key out of the JavaScript source, then besides that, he'd need to have a use-case for wanting one that made more sense than just generating his own from the Smug site).
My guess is that number is so small that you shouldn't worry about it.
If you were *really* concerned about it, it would be easy enough to host a Servlet or PHP script somewhere that when called simply returned your API Key, and then in yoru JavaScript you could just use that object's value all over the place.
Adding that 1 level of indirection is overkill I think, cause for the 1 or 2 people that *really* wanted your API key, they could just call your remote service themselves and get it.
So might as well stick it in your JS
kallasoft | The "Break It Down" Blog
I agree with you. Personally, I really dont care if anyone uses my api key, but I just didnt want to put smugmug in some sort of position that they didnt want to be in. If its cool with smugmug, its cool with me.
Jesse
That should be fine.
Cheers,
David
SmugMug API Developer
My Photos