API key is supposed to be public?

[Bjoern]

Hi,

if I use the Javascript client or in general the JSONP functionality
from a web site, my API key will be public for anyone to see. Is that
OK with Bitly?

I would not be able to prevent abuse of the key, but I am also not
quite sure what anybody would want to use it for. Perhaps to create
spam URLs, but might not be worth the effort.

Also since there is not history for URLs shortened via API, I wouldn't
even notice if somebody steals my key. I hope at least nothing can
fall back on me if somebody else uses the key.

Maybe that is the intended use of the authentification, but I think it
would be simpler to just let go of the key.

For example Twitter for it's search API just requires a User-Agent or
Referrer.

Björn

[Kortina]

Embedding the API key in your javascript is one way to go. If you do this, you may want to create a separate account, eg, yourapppublic.

Alternatively, you could proxy requests through your own server, and add the API key server side before sending the request to bit.ly.

Send to your server:

http://yourserver.com/bitlyproxy/shorten?version=2.0.1&longUrl=http://cnn.com

Append credentials using mod rewrite or a php script:

http://api.bit.ly/shorten?version=2.0.1&longUrl=http://cnn.com&login=bitlyapidemo&apiKey=R_0da49e0a9118ff35f52f629d2d71bf07

This proxy method is probably best.

--
Andrew Kortina // http://bit.ly/AK