Options

Javascript and APIKey

jf26028jf26028 Registered Users Posts: 9 Beginner grinner
edited October 14, 2007 in SmugMug API Support & Integrations
I am working on doing some stuff using the json api and javascript without the help of a php/asp.net server script. In order to call the smugmug apis on the client, I have to include my api key for all the world to see. Is this a security risk, from smugmug's point of view? Should this be avoided, or is it perfectly fine?

Just trying to get a best practice down, I guess.

Jesse Foster | jf26028

Comments

  • Options
    rkallarkalla Registered Users Posts: 108 Major grins
    edited October 13, 2007
    Jesse,
    *as I understand it* the API key is a unique identifier that Smug can use to track API calls to a specific product.

    So for example, if I create the product "PictureBrowser Extreme Plus Ultimate Series" and use API Key b23123323223blah Smug would be able to pull stats and see that "Wow, we had 20k API calls this month for the PBEPUS product!

    That being said, if you embed your API Key in your JS, and some nefarious user decides to start using it himself for his own product or API calls... it's a lot of hoops to jump through (First the user would need to want your API key out of the JavaScript source, then besides that, he'd need to have a use-case for wanting one that made more sense than just generating his own from the Smug site).

    My guess is that number is so small that you shouldn't worry about it.

    If you were *really* concerned about it, it would be easy enough to host a Servlet or PHP script somewhere that when called simply returned your API Key, and then in yoru JavaScript you could just use that object's value all over the place.

    Adding that 1 level of indirection is overkill I think, cause for the 1 or 2 people that *really* wanted your API key, they could just call your remote service themselves and get it.

    So might as well stick it in your JS ;)
    Riyad Kalla
    kallasoft | The "Break It Down" Blog
  • Options
    jf26028jf26028 Registered Users Posts: 9 Beginner grinner
    edited October 13, 2007
    Sounds good
    rkalla wrote:
    Jesse,
    *as I understand it* the API key is a unique identifier that Smug can use to track API calls to a specific product.

    So for example, if I create the product "PictureBrowser Extreme Plus Ultimate Series" and use API Key b23123323223blah Smug would be able to pull stats and see that "Wow, we had 20k API calls this month for the PBEPUS product!

    That being said, if you embed your API Key in your JS, and some nefarious user decides to start using it himself for his own product or API calls... it's a lot of hoops to jump through (First the user would need to want your API key out of the JavaScript source, then besides that, he'd need to have a use-case for wanting one that made more sense than just generating his own from the Smug site).

    My guess is that number is so small that you shouldn't worry about it.

    If you were *really* concerned about it, it would be easy enough to host a Servlet or PHP script somewhere that when called simply returned your API Key, and then in yoru JavaScript you could just use that object's value all over the place.

    Adding that 1 level of indirection is overkill I think, cause for the 1 or 2 people that *really* wanted your API key, they could just call your remote service themselves and get it.

    So might as well stick it in your JS ;)

    I agree with you. Personally, I really dont care if anyone uses my api key, but I just didnt want to put smugmug in some sort of position that they didnt want to be in. If its cool with smugmug, its cool with me.

    Jesse
  • Options
    devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited October 14, 2007
    G'day Jesse,

    That should be fine.

    Cheers,

    David
    David Parry
    SmugMug API Developer
    My Photos
Sign In or Register to comment.