Is using the precondition function for an API key like functionality secure?

Options
okabak
okabak Member
in ? Help! I'm a Noob
Using the user auth for securing the API endpoints is a pain for the project I'm working on because tokens expire and I'm not sure how to keep renewing them in Retool. (I don't really need users for this project)

So I thought I could use the precondition function that evaluates if "key" querystring equals my API key I generated using a password generator :)

My question: Is this a safe approach? Can anyone find this API key through Chrome Dev Tools or something like that (or any other way)?
· Share on Twitter

Comments

  • Unknown
    Unknown
    Options
    I've just set my keys to have extremely long expiry times with plenty of 9s. But it's no less secure or hidden than an API key. Anything you can see in dev tools can be seen if it's a header or not. 

    For API keys that I've generated though, I keep them in their own table, then I assign a key to the user in that table and encrypt it with an iv in my settings so even if someone found access to the table they wouldn't know what the actual keys are without knowing the iv and the user keys from the other table.
    · Share on Twitter
  • Ray Deck
    Ray Deck Trusted Xano Expert ✭✭✭
    Options
    In Oauth your suggested path is referred to as client credentials flow. It's often used for server-to-server authentication when you are not spoofing a particular person. I usually use the same Authentication: Bearer MYRANDOMSTRING header, but using the querystring or the JSON payload is about the same from a security point of view. You just don't want to make that key (MYRANDOMSTRING) to be part of a static file that someone else could get their hands on without logging into your retool account or what have you.
    · Share on Twitter
  • Rand
    Rand Member
    Options
    Tried this myself today and noticed the key gets displayed as a parameter on the end of the URL which doesn't feel like a secure solution, e.g. https://stackoverflow.com/questions/5517281/place-api-key-in-headers-or-url.

    In my case, I have a single table of data where each row is a unique record with no user accounts and I'd simply like to have a GET or POST request to the data with a simple API key that's secure from public access.

    I feel like the out the box solution for authentication is designed for solutions with multiple user accounts and relational datasets so would love to know how others have set up a custom API key in a header too outside of the out the box Xano functionality.
    · Share on Twitter

Categories