API key is supposed to be public?

Skip to first unread message


Jul 13, 2009, 12:02:44 PM7/13/09
to bitly API

if I use the Javascript client or in general the JSONP functionality
from a web site, my API key will be public for anyone to see. Is that
OK with Bitly?

I would not be able to prevent abuse of the key, but I am also not
quite sure what anybody would want to use it for. Perhaps to create
spam URLs, but might not be worth the effort.

Also since there is not history for URLs shortened via API, I wouldn't
even notice if somebody steals my key. I hope at least nothing can
fall back on me if somebody else uses the key.

Maybe that is the intended use of the authentification, but I think it
would be simpler to just let go of the key.

For example Twitter for it's search API just requires a User-Agent or



Jul 16, 2009, 9:51:13 AM7/16/09
to bitl...@googlegroups.com
Embedding the API key in your javascript is one way to go. If you do this, you may want to create a separate account, eg, yourapppublic.

Alternatively, you could proxy requests through your own server, and add the API key server side before sending the request to bit.ly.

Send to your server:

Append credentials using mod rewrite or a php script:
This proxy method is probably best.

Andrew Kortina // http://bit.ly/AK
Reply all
Reply to author
0 new messages