发表新帖
发表新帖

How to secure the JavaScript API Access Token?

后端 未结
关注
5 2023
轮回少年
轮回少年 2020-12-02 10:24

There are numerous online resources which provide JavaScript APIs to access their services. To be more clear, I will base my question on the example of MapBox, but this appl

相关标签:
5条回答
  • 广开言路
    2020-12-02 10:55

    I will speak only about map imagery APIs like Mapbox, it seems that unfortunatly only services like Google Maps, Here Maps, Bing Maps etc offer ip/domain filtering by service provider or this type of security, all offers based on OSM i met don't propose it. As Justin Poehnelt said the only reliable way is to build a proxy, but it's usually forbidden. I find this in the ToU of Mapbox:

    You may not redistribute Map Assets, including from a cache, by proxying, or by using a screenshot or other static image instead of accessing Map Assets through the Mapping APIs.

    0 讨论(0)
  • 夕颜
    2020-12-02 11:02

    Javascript API tokens (and all client tokens, in fact) are always visible to the client (unless using them only server-side, as in node). There is no way around that. As you mentioned, the only way to truly secure an API key and keep it private is to store it in the server, then request the server to make the request on the client's behalf.

    0 讨论(0)
  • 刺人心
    2020-12-02 11:03

    Restrict Access with CORS

    Make your web server return the access tokens on an ajax request from you javascript with CORS setup. Token can be captured with this method visiting your app.

    Provide Tokens to Authorized Users

    You can also add authentication on your webserver to provide limited access to the users you allow. Token can be captured with this method but only by authorized users.

    Proxy Requests

    The only way to completely protect that token is to proxy the requests through your server. Token cannot be captured with this method. Note that this may be against terms of service.

    0 讨论(0)
  • 情书的邮戳
    2020-12-02 11:09

    5 years later, this is not necessarily for the original poster but for anyone still interested, Mapbox now allows you to easily restrict tokens by domain(s):

    https://account.mapbox.com/access-tokens (assuming you are signed in)

    0 讨论(0)
  • 醉话见心
    2020-12-02 11:15

    You may like to read up on CORS headers These allow you restrict which domain can call a remote web service.

    0 讨论(0)
 看不清?
提交回复
热议问题