Workflow max website not showing any details regarding API keys. Is there any way to get the necessary API keys?
I not from the WorkflowMax team but according to the docs: All new connections to the WorkflowMax API must use OAuth 2.0. Create a connection to a WorkflowMax account by selecting a WorkflowMax scope.
Related
I'm using the Xero OAuth2 code flow to authenticate my users. I'm trying to use the access token (a JWT) returned by Xero in order to authenticate requests against a Fauna database. This is theoretically possible by using a Fauna AccessProvider, which is a feature that allows third-party identity providers to authenticate requests against a Fauna database.
Fauna's docs on using its AccessProvider give examples for setting it up with Auth0, but I'm trying to determine whether I can use Xero's OAuth2 functionality instead. This would mean I need Xero to include a second value in the aud field of the access token JWT. From this other StackOverflow post and from looking at the access token, I can see that the aud field is set to the string 'https://identity.xero.com/resources'. Is it possible to configure Xero to set this value to an array that includes a custom value? I need it to include the Audience value set on my AccessProvider instance as documented in this blog post.
I looked through the settings for my app within my Xero developer account, and I don't see any place to add a value to the aud included in the access token.
I've read through the Xero documentation and Googled for any examples of this, but I didn't find any other writing on the subject.
I received this answer from Xero Support:
The access token retrieved from Xero using OAuth is not customisable and so you would not be able to add in the audience.
So it looks like this is not possible, unfortunately.
You get the problem reading the title. Is there anyway I can sign up customers using commercejs. The documentation is only showing login/logout methods but not sign up.Is there anyway I can do it through commercjs. Or should I use other authentication service like Firebase Auth??
There is no specific way to register a user as Commercejs does not store any kind of password.
The only way for registering a user is to use https://commercejs.com/docs/api/#create-customer as per API reference docs. however if you want to integrate some kind of custom auth you should definitely use this reference:
https://commercejs.com/docs/api/#issue-jwt-for-customer
This allows you to issue a JSON web token for a customer directly using your secret Chec API key. This may be a desirable option if you are integrating your own customer authentication, and simply need a token to authorize API requests as your customer with.
I have personally used this method along with Firebase auth.
Hi I looked https://developers.google.com/places/web-service/get-api-key
For an agency, is it possible to set up an API without having the client's login?
How can we create one?
Regards,
Jeff
Api keys are for accessing public data there will be no need for logging in when you use this.
Use the follow these steps to get an API key:
Go to the Google API Console.
Create or select a project.
Click Continue to enable the API.
On the Credentials page, get an API key (and set the API key restrictions).
Note: If you have an existing unrestricted API key, or a key with server restrictions, you may use that key.
To prevent quota theft, secure your API key following these best practices.
(Optional) Enable billing. See Usage Limits and Billing for more information.
There is no other way to get an API key you will need to create a project on google developer console.
I have created an app and some REST API on Google Appengine and deployed it to
www.my-appspot-id.appspot.com
I'm using Google Datastore to store my data and have created API's to access that data.
However, i can access my API directly also using
www.my-appspot-id.appspot.com/_ah/api/explorer
which means anyone can access them and can manipulate the data which i don't want.
How to restrict access so that nobody but some particular registered set of users can only use it?
I stumbled upon this tutorial recently, might be of some help.
I think you need to authenticate your endpoints and authorize only some client id.
OAuth 2 authentication : https://developers.google.com/appengine/docs/python/endpoints/getstarted/backend/auth
Allowed client ids and audience : https://developers.google.com/appengine/docs/python/endpoints/create_api#allowed_client_ids_and_audiences
To answer your question : you can't.
Google Cloud Endpoints is based on the explorer api: everybody will be able to navigate into your API, and see the differents methods available.
BUT if you add an authentication to your methods, the visitor will not be able to execute them.
Please someone explain me how to use an api key and what is it good for.
I have searched a lot about this and I got different and conflicting answers. One says that an API key is kept secret and its never sent as the part of the communication, while others send it to the client without any encryption. What is the client's signature? How can he generate it and what can do the server with it? Why should monkeying with api keys instead of using the good old username-password pair? Could someone explain me how the communications look between a client (Android device) and the server (php api) in detail.
I'd appreciate any good tutorials, code samples, and explanations for beginners.
The topic of API authentication is a complex one. Below I'm going to do my best to explain one part of the issue: why is an API key better than a username / password?
Here we go.
When building (or working with an API), a common question developer's ask is "Why does this service require an API key instead of my username and password?" It's a great question!
First, let's talk about what API keys typically are.
API keys are usually randomly generated strings of letters and numbers. Furthermore, an API key typically comes in two parts: an ID and a secret. If you're using a web service like Stormpath, for instance, you might have two API keys that look like this:
API_KEY_ID=kzjbOg3iOm4k4MRpBss76yxlZSPJtoOPaqxirsfX
API_KEY_SECRET=A8FnQWM7RpgGjU3sZjOUgMIq5t8mvAhQES9iE30S
You can think of an API key ID as a username. This is a globally unique identifier which allows the API service to find your account.
You can think of an API key secret as a password. This is a password that, when matched up with the correct API key ID, will grant you access to the API service in question.
The main reason you WOULDN'T want to use a username and password to authenticate against an API is that:
Even if the API is served over SSL, there are many exploits available which can compromise your credentials. If you used your username / password to log into API services, and an attacker grabs these credentials, they have access to your account as a whole.
If you use your username / password to authentication against an API, what happens if one of your servers / API clients is compromised? This means you need to reset your username / password and update it for all of the clients which are using it. This can be time consuming, and costly.
By using a username / password, you're usually restricting yourself to a certain type of API usage. By having API key pairs, you're able to separate out API credentials to different levels of access (maybe on key pair can only access certain data, while another can access other types of data).
API key pairs are, in general, a much better idea. In addition to the obvious security benefits, they also serve other purposes:
If an API key pair is leaked, you can usually create / cycle API key pairs without needing to update every single client you own.
You can use API key pairs to provide sub-account functionality for your API.
Hope that helps!
have a look at this
REST authentication and exposing the API key
Why do some API providers require an API key?
And study a lil about Oauth