Keeping the API key private

45 views
Skip to first unread message

Robin Sheat

unread,
Apr 11, 2013, 9:05:22 PM4/11/13
to digi...@googlegroups.com
How strict are the rules around the API key?

The terms of service says:

6. You must keep your API key secure and confidential. If you believe that the security and confidentiality of your API key has been compromised, you must notify us as soon as possible at in...@digitalnz.org

However the API says:

http://api.digitalnz.org/v3/records.json?api_key=[your_api_key]&text=cat+dog

It's not possible to keep the api_key private here as it's being sent in the open. For example, by activating firebug I can immediately see the API key in the javascript implementation on Kete.

I'm thinking of putting together a free software android app for this some time, just for fun.

Cheers, Robin.

Chris McDowall

unread,
Apr 14, 2013, 4:46:34 PM4/14/13
to digi...@googlegroups.com
Hi Robin,

The main reasons that the DigitalNZ API uses secret keys is to track usage and to manage load on our systems. We ask people to make best endeavour efforts not to expose their API keys, but ultimately we leave the implementation up to the individual developers.

We had a situation some time ago when an exposed key was hijacked by another party. We would like to avoid similar situations.

All the best,
Chris
Reply all
Reply to author
Forward
0 new messages