Using the REST API from client-side javascript

Is there a public-key to use that is paired with my domain?

Hi, currently the JavaScript client must use the Application ID and JavaScript Secret key in the Backendless.initApp call. Given the openness of JavaScript, our secret key is no longer that secret anymore. It works well for the JS applications compiled to run on devices, however, currently it is not that secure for the traditional web/browser-based applications. We have a few ideas on making it more secure by pairing the secret key to a domain, but with enough perseverance it could be broken as well. If you have any ideas on what would solve this problem, I’d love to hear them.


My suggestion would be not requiring Backendless.initApp prior to authentication. Have the authentication service live as a public API (with SSL support) requiring the username, password, and application key. So the user would authenticate to Backendless and receive an encrypted authorization token that would be then provided to the Backendless.initApp call for all further transactions that would be conducted during that session. Once the session has timed out or the user has logged out, that token would be disposed of.

Nick, I really like your idea! There’s only one thing I’d like to add to it: When having authorized successfully, Backendless should return the secret key hashed with the username + expiration date. (e.g. md5(sec.key | username | expiration)) and supply this as a token. Thus you do not need to save any token on the server, as you can verify the token at any time using the secret key.
Aside from that: Your solution sound’s pretty good!

Hey guys,

a few questions for you so I can understand the idea better:

  1. One of the core problems is with JS the app id and secret key are exposed. We plan to provide domain control, so a developer can specify which domains the app can be loaded from and our cross domain policy will enforce it. How does the suggestion you posted solve that problem? When a user authenticates, we need to know what app the user is authenticating with. We’re hosting a lot of apps and each has its own set of users. Therefore the need for the app id is primordial.

  2. What will you suggest for the apps where there is no user authentication? In other words, all the resources of the app are open - there is no registration and login.