Reputation: 31
OpenTok / ToxBox: Keep the API Key secret?
I'm using the OpenTok .js API to build a web app.
The TokBox "Security Best Practices" doc (https://tokbox.com/developer/guides/security/#best-practices) says "Keep the API key and secret private and secure"
I can keep the API "secret" out of the browser app, but as far as I can tell, the API Key has to be available to the browser, in order to make calls to OT.initSession().
Am I missing something, or is the TokBox documentation just misleading?
Upvotes: 3
Views: 344
Answers (1)
Reputation: 1515
Manik here from the OpenTok team.
You are correct, the API Key will be available on the client side (browser, mobile device, etc) as expected. This is not an issue because you need the API Key & API Secret combination to be able to create sessions, generate tokens, etc.
For security purposes, you should not expose the combination of API Key and API Secret.
Upvotes: 3
Related Questions
- Signaling OpenTok and React
- TokBox retrieve user connection data
- tokbox python api room creation
- Tokbox archiving callback url always returns null on .Net
- Change permissions for user connected to session
- Tokbox/Opentok: How to not display published video
- OpenTok Ruby On Rails
- OAuth: How to hide API Secret Key from javascript
- Token Metadata in Tokbox
- Tokbox- don't let the same user publish twice