How to use Client Key instead of Rest Api Key for Android on Parse.com Rest Api requests

Question

In Parse.com Rest API documentation it says this:

You should not use the REST API Key in client apps (i.e. code you distribute to your customers). If the Parse SDK is available for your client platform, we recommend using our SDK instead of the REST API. If you must call the REST API directly from the client, you should use the corresponding client-side Parse key for that plaform (e.g. Client Key for iOS/Android, or .NET Key for Windows/Xamarin/Unity).

In my retrofit api I have the following code with header:

  @Headers({"X-Parse-Application-Id: " + ParseEndPointConfig.PARSE_APPLICATION_ID, "X-Parse-REST-API-Key: " + ParseEndPointConfig.PARSE_CLIENT_KEY})
  @POST("classes/Xxx")
  Observable<XxxParseObject> createXxx(@Body XxxParseObject circle);

As stated in the docs, using Rest Api Key is not recommended. It is suggested to use Client key for Android. How should the header look like if I used Client key for authentication? Is there any example on using Client key instead of Rest Api key for client side applications?

Answer 1

Short answer: use the header X-Parse-Client-Key in your REST call.

Full explanation: When you look at the Parse REST docs, you frequently see examples like this:

curl -X POST \
  -H "X-Parse-Application-Id: ${APPLICATION_ID}" \
  -H "X-Parse-REST-API-Key: ${REST_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"score":1337,"playerName":"Sean Plott","cheatMode":false}' \
  https://api.parse.com/1/classes/GameScore

Note how the parse headers start with X-Parse-. I previously needed to figure out how to use dotNET key for parse-push-plugin. On a hunch, I searched the dotNET SDK for X-Parse-, and found the header to be X-Parse-Windows-Key.

Doing the same thing with the Java SDK, you would find the following declarations in ParseRESTCommand.java

static final String HEADER_APPLICATION_ID = "X-Parse-Application-Id";
static final String HEADER_CLIENT_KEY = "X-Parse-Client-Key";