Eric
Reputation: 1019
getstream: is it safe to expose the API key to the public?
I noticed that a GET on a notification feed responds with a next attribute containing the API key. Not the secret, just the API key.
I'm curious whether this is safe to expose to an end user?
Example:
"next": "/api/v1.0/feed/notification/user8/?id_lt=8a4ba960-76fc-11e7-8080-800139637857&api_key=blahblahblahblah&limit=1&location=unspecified&offset=0"
Upvotes: 3
Views: 403
Answers (1)
iandouglas
Reputation: 4306
The data payload you send to any of our API endpoints is encoded using your API secret into a JSON Web Token payload in the header for most calls. And guessing your very long API secret to properly encode anything would take an awfully long time, so yes we feel it's safe.
Also, you cannot log into the dashboard using your API credentials in any way so your billing information is safe (we still recommend turning on two-factor authentication in the dashboard though)
Upvotes: 3
Related Questions
- streamlit API key hidden from deployed app
- Is it safe to make source code containing an API key publically available?
- GetStream.io API key rotation
- Security concerns about the use of client-side API_KEY
- What are the risks associated with exposing a free API key?
- GetStream- Without following feed?
- Best way to create private and public feed
- Generating access token for getstream feed?
- Client Only and Tokens?
- Will this make my API KEY Secure?