Do not expose secret key and application id to public

jayathasoft · March 3, 2016, 4:26pm

Hi,

We are considering to use Backendless for our websites/HTML5 mobile apps.

I read in the docs that I have to call the Backendless init function first, in order to make API calls towards Backendless (Javascript API):

Backendless.initApp( application-Id, secret-key, version )

As far as I know, this function should be put in a certain javascript file/HTML file. Since the source code of web apps are visible for everyone (via browsers/inspector), I was wondering how safe it actually is to put our secret key in a public file.

Is this secure ?
Is there any solution to call the init function in a secure way, so that our secret key/application ID is not exposed to the public ?

Thanks in advance!

Daniel

mark-piller · March 3, 2016, 11:32pm

Hi Daniel,

Secret key is not that “secret”. A better name for it is “API Key”. Securing your backend data is not about keeping the key hidden, but more of a task of configuring a security policy on the backend by assigning proper permissions to users and roles. I recommend watching the “Backendless Security” webinar where I talked about many of these topics: https://backendless.com/webinars

Regards,
Mark

jayathasoft · March 4, 2016, 9:20am

Thanks a lot Mark!
Watching your webinar was indeed a good suggestion, it cleared all my doubts