Reputation: 33
How can I protect my Kloudless API Key and Account ID?
I am using Kloudless to enable efficient file uploading on the client side.
However, my app currently exposes both my Kloudless API key and account id -- they will be public on the client side.
In addition to setting the trusted domains, is there any way to protect my keys right now while still enabling efficient file uploading?
Upvotes: 2
Views: 187
Answers (1)
Reputation: 2368
You are absolutely correct that the Kloudless API Key should be kept confidential and not included on the client-side. Instead, I would use the user's Account Key instead. Account Keys function the same way as API Keys, but only provide access to the connected account.
Here is some information on using Account Keys with the File Explorer:
Account Keys can be returned from the File Explorer by setting the "account_key" option to true. They are only returned to Trusted Domains (added via the Developer Portal). Once you have them on the client-side, you can make requests using them. In addition, they can be retrieved via the backend as well.
Account Keys also come in useful when you would like to show returning users accounts they have already connected previously. By storing Account Keys for the user, you can render them on the client-side and pass them in via the "keys" option while instantiating the File Explorer, which will display the corresponding accounts to the user automatically.
Upvotes: 2
Related Questions
- How to protect aws secret access key
- How to protect an API Key when using JavaScript?
- How to secure access to a KMS key and setup it's resource policy
- Managing access to KMS key to be used only a lambda
- What steps should I take to protect my Google Maps API Key?
- How to secure my api key?
- Secure my API with an API key
- how to use the kloudless api_key
- How can I protect my AWS access id and secret key in my python application
- How to protect my API service from api-keys piracy