Do not expose secret key and application id to public

jayathasoft · March 3, 2016, 4:26pm

Hi,

We are considering to use Backendless for our websites/HTML5 mobile apps.

I read in the docs that I have to call the Backendless init function first, in order to make API calls towards Backendless (Javascript API):

Backendless.initApp( application-Id, secret-key, version )

As far as I know, this function should be put in a certain javascript file/HTML file. Since the source code of web apps are visible for everyone (via browsers/inspector), I was wondering how safe it actually is to put our secret key in a public file.

Is this secure ?
Is there any solution to call the init function in a secure way, so that our secret key/application ID is not exposed to the public ?

Thanks in advance!

Daniel

mark-piller · March 3, 2016, 11:32pm

Hi Daniel,

Secret key is not that “secret”. A better name for it is “API Key”. Securing your backend data is not about keeping the key hidden, but more of a task of configuring a security policy on the backend by assigning proper permissions to users and roles. I recommend watching the “Backendless Security” webinar where I talked about many of these topics: https://backendless.com/webinars

Regards,
Mark

jayathasoft · March 4, 2016, 9:20am

Thanks a lot Mark!
Watching your webinar was indeed a good suggestion, it cleared all my doubts

Adam_Cook · March 17, 2025, 12:40pm

Hi @mark-piller,

Is this answer still relevant? I’m asking because I have the same questions, but I notice that this is a 9-year-old answer. Also, I didn’t see that webinar when I followed your link.

Volodymyr_Ialovyi · March 17, 2025, 1:16pm

Hello @Adam_Cook

Yes, the answer is still relevant.

Regarding webinars, unfortunately I didn’t find them either, but you can select the Security category - there you can find some articles on this topic, such as: Roles-Based Database Column Visibility, Database Security Best Practices.
You can also check out our documentation on this issue: Data Security, Permissions API.

Regards,
Volodymyr

mark-piller · March 17, 2025, 1:59pm

The webinar is available in our YouTube channel: https://youtu.be/AOyhtu1DOus

Adam_Cook · March 17, 2025, 3:55pm

I’m halfway through the webinar, and I think I grasp it now. So, to summarize:

You don’t use private and public API keys. This is because that model of security is kind of arbitrary, like keeping a secret for the sake of keeping a secret. Keys don’t make your app secure—policies do.
Instead, you rely solely on permission-based security settings for data, based on
- global permissions,
- authentication,
- and roles
Backendless defaults to very liberal security settings for data, so developers need to actively secure their apps by going through the settings for each table.

mark-piller · March 17, 2025, 4:01pm

That’s a good summary. Additionally, every app in Backendless gets a dedicated subdomain in the form of xxxxx.backendless.app. When you use that domain for the API calls, your App ID and API key are not referenced in the URLs at all.

Adam_Cook · March 17, 2025, 4:05pm

And I guess Domain Control is how you restrict usage to just the domains specified? If so, I think that covers all remaining access points.

mark-piller · March 17, 2025, 4:11pm

Yes, in the Domain Control section you can map an API Key to the domain. When a request is received by Backendless, the platform will use the security permissions associated with the specified key.