Should secret keys be hidden from users?

+1 vote

I noticed that in the Javascript API I should put my secret key into the javascript. If the javascript is running in the browser, is this a security concern? Or are those keys not really a "secret" so much as a way to identify the app? That is, the key doesn't get any privileges to the user, only if they can log in as an adminstrator will they get any "powers" from using the secret key?

closed as a duplicate of: How to secure the app's secret key when used in client side javascript?

asked Nov 24, 2014 in App42 Cloud API-BaaS by dobesv (26 points)
closed Nov 24, 2014 by dobesv

1 Answer

+1 vote

I think I found my answer here:

http://api.shephertz.com/tutorial/Securing-Your-App/?index=security-acl

Basically the secret key isn't used for authorization if ACLs are turned on, the admin key would be used for that purpose, or a user account.

answered Nov 24, 2014 by dobesv (26 points)

All categories
General (205)
- Announcements (49)
- Announce Your App (6)
- Work In Progress (25)
- Operations and Maintenance (35)
- Discuss & suggest API (86)
App42 Community Support (2,624)
- App42 Cloud API-BaaS (1,675)
  - Android (165)
  - iOS (36)
  - Unity (193)
  - Windows (5)
  - Raspberry Pi (0)
  - C# (4)
  - Cocos2D-X (24)
  - Xamarin (4)
  - Corona (49)
  - JavaScript (27)
  - Flash (9)
  - Marmalade (0)
  - AppMethod (1)
  - Rad Studio (1)
  - Java (34)
  - PHP (18)
  - Samsung Smart TV (0)
  - Blackberry 10 (0)
- App42PaaS & BPaaS (73)
- AppWarp (653)
  - Android (66)
  - iOS (23)
  - Unity (33)
  - Windows (4)
  - Html 5 (4)
  - Flash (3)
  - Adobe Air (5)
  - Xamarin (6)
  - Corona (11)
  - Java (10)
  - Marmalade (0)
  - Cocos2D-X (12)
  - Cocos2D (0)
- AppWarpS2 (205)
- App42 DevOps (5)
- App42 API Gateway (9)

...

Team

Partners

Investors

Customers

Media

Backend Cloud APIs

Marketing Automation

API Gateway

AppWarp

Platform-as-a-Service

DevOps

Retail

Banking

Insurance

Gaming