I tried to get data from this api https://api.rajaongkir.com/starter/province and api key, i already put my api key correctly when requested the data. but the response was Invalid key.
here's my code :
here's the response
EDIT
i don't understand, it's ok if i use postman
What does not work is the prefligth request with 'OPTIONS' HTTP type.
This request is done directly by you browser.
A solution is to do the request on a NoeJS server and send back the data to the client.
You should not give your API key to the client anyway.
So, I did the effort of typing your image code as text for you, here it is overall:
console.log(
'test',
this.$axios.$get('https://api.rajaongkir.com/starter/province', {
headers: { key: '00958fbcc8a7d31edf4bc2c168de705c' },
}),
)
Next time, please provide it as text rather than image.
Also yeah, as mentioned above, you can see that the issue is actually a CORS issue.
To fix this properly, you need to whitelist your domain name and your localhost on Rajaongkir's dashboard somewhere.
PS: once the issue is fixed, I do recommend you to recreate a brand new API key since this one is now public.
Related
I am working with the following api:
https://www.football-data.org/documentation/api
I have gotten myself an api key and I tried to make the example request:
https://api.football-data.org/v2/teams/86/matches?status=SCHEDULED
of course I get the error
{"message":"The resource you are looking for is restricted. Please pass a valid API token and check your subscription for permission.","errorCode":403}
So the question is, is how do I give the website my api key to allow me to make these requests?
Looking at the python snippet they create a dictionary with the the api key as a value and pass that to the request. How can I make this in my browser?
I tried
https://api.football-data.org/v2/teams/86/matches?status=SCHEDULED&%22X-Auth-Token%22=%22MYAPIKEY%22
and it did not work.
You are passing your API key as a query parameter, which is not in line with the API specification.
The API needs the key as an HTTP header. You cannot easily do that in a web browser. I'd suggest getting something like Postman or to do it on the command-line:
curl -i -H "X-Auth-Token: MYAPIKEY" "https://api.football-data.org/v2/teams/86/matches?status=SCHEDULED"
You might have figured it out by now, but I am dropping this for anyone else looking on how to do it in Python:
import requests
from pprint import pprint
token = "" # Write the api key emailed to you here
headers = {
'X-Auth-Token': token,
}
r = requests.get('http://api.football-data.org/v2/competitions/EC/teams', headers=headers).json()
pprint(r, indent=2, depth=1, compact=True)
If you're using postman like #Jakob Löhnertz suggested.
You want to first enter the api
Then go over to the Headers tab, put in "X-Auth-Token" as your Key and your unique API token as your value. Hit send and you should be all good.
Finally, be sure to go through here to see the list of available competitions for a free account.
I'm trying to send data from NetSuite to ZenDesk via the ZenDesk API. Problem is, I can not get it to authenticate by placing the authentication inside the header. Has anyone seen any articles on doing it this way? I've tried adding it as {email}:{password} and {email}/token:{token} with no luck.
I have tested the password and the token using curl. So I do know that the password is correct. Any thoughts on this one?
I've also tried using Postman to create the authentication and it worked as well. Oddly enough, though, I can not use that authentication in any other application. I can paste is into the header (in Postman) with no issues, but when I try to do that via Advanced Rest Client (Chrome Extension) it won't work, nor will it work in the header from NetSuite.
I'm guessing there must be something that I am missing that Postman is doing by itself.
generally you have to provide credentials as a header e.g. a GET request like:
var url = 'https://...';
var cred = 'username' +':'+ 'password';
var headers = {
'Content-Type' : 'application/json',
'Authorization' : nlapiEncrypt(cred, 'base64');
};
nlapiRequestURL(url, null, headers);
Netsuite has a new method that apparently helps with this: nlapiRequestURLWithCredentials but I've not bothered figuring it out since the above is well tested and has worked with multiple remote systems.
I'm using Ember.js in conjunction with Ember-Auth. While uploading files via Jquery-File-Upload, I need to send the authenticity token through the headers. I'm approaching this like so:
didInsertElement: ->
$('#image_upload').fileupload
headers:
'X-CSRF-Token': Whistlr.Auth.authToken
Unfortunately, Whistlr.Auth.authToken is undefined. I'm not even sure this is where Ember-Auth stores the auth token, though it seems like a likely candidate. Similarly, other attributes are undefined, such as user and userId. Aside from this, Ember-Auth seems to work fine, and it sends the auth token with every request. It's only when trying to manually retrieve it that I have this problem. Any advice as to what's happening?
I don't know Ember-Auth, but to access properties in objects.
You have to use the get method.
Whistlr.Auth.get('authToken')
I hope it helps.
The REST API for Mongolab is cool. I can use that for analytics in my website directly using the following javascript, provided on Mongolab's support page. Only if I can understand how the authentication actually works. The API key mentioned in the URL could be easily copied by anyone who'd view the html source. The Mongolab control panel does not offer any registration for my website that'd assure me that the api key will be validated only if coming from my domain.
How does this authentication work?
$.ajax( { url: "https://api.mongolab.com/api/1/databases/my-db/collections/my-coll?apiKey=myAPIKey",
data: JSON.stringify( { "x" : 1 } ),
type: "POST",
contentType: "application/json" } );
Excellent observation, and great question.
Currently, all API keys have read and write access to the databases associated with the user's account, and any agent possessing an API key can successfully issue any such request.
As you observe, this very basic pass key is not designed with any kind of fine-grained security in mind.
However, we're working on a batch of new REST API security features aimed at precisely that.
Contact us at support#mongolab.com if you'd be interested in discussing the details.
I'd like to use MongoLab service for my first AngularJs app with MongoDB, but MongoLab is not ready for production with a web app that wants access from the front end to the MongoDB.
It's very easy to get the API key in the browsers network traffic (see screenshot below, the apiKey is in plain text there) and then any one can have full access to the DB. So messing around with the MongoDB would be no problem.
I haven't found a workaround for MongoLab yet. At the moment, I think I will use another service like https://www.dreamfactory.com/
I haven't tried it in detail yet but it looks great for an AngularApp with MongoDB and I need to check how they implemented the security of the api. On the first look, it looks like it is working with session tokens to secure the requests to the database.
You have an API key for doing http request to your DB using their REST API. For example, if a user wants to log in I make a request with a GET method like this:
https://api.mongolab.com/api/1/databases/name_db/collections/users/put_your_params_like_username_and_pw?apiKey=xxxxxxxxx
And then you analyze the response to that request. It is not the most secure DB in the world but it is getting better.
If you want more info I talk about that in my blog: http://lolapriego.com/blog/?p=16
I’ve a Flickr which I’m using to upload pictures from my phone and all images are public. On my blog I want to retrieve all the images to show and for that I’ve first tried to create an application to get my API key. I’m using the Flickr API flickr.people.getPublicPhotos. This API service is said to not require authentication and putting it all together I end up with this call:
http://api.flickr.com/services/rest/?method=flickr.people.getPublicPhotos&api_key=fc94274cd0335f3c171fe22c8490b7d9&user_id=5545356%40N04&extras=description%2Cdate_upload%2Cdate_taken%2Cowner_name%2Coriginal_format%2Ctags%2C+o_dims%2C+views%2C+media%2C+path_alias%2C+url_sq%2C+url_t%2C+url_s%2C+url_q%2C+url_m%2C+url_n%2C+url_z%2C+url_c%2C+url_l%2C+url_o&per_page=40&format=php_serial&api_sig=0c48e2b6b6d9a03521e5ca86a15cf471
The problem is that every around 10 hours I fails and returns the error message a:3:{s:4:"stat";s:4:"fail";s:4:"code";i:100;s:7:"message";s:31:"Invalid API Key (Key not found)";}
I tried to create the API call when logged in to Flickr and also with not logging in and in both cases I get the error message. It’s like the API key expires or stops working. Have a missed something on Flickr about the API key or what could cause this? It is really frustrating to renew the URL twice at day.
Thank you
Sincere
- Mestika
If I read the docs correctly, the &api_sig query string parameter is constructed using an authentication token, one that eventually expires. Remove that parameter (= do not sign your API request) and I think you'll be OK.
Mestika's comment seems correct. I was getting the same problem when using the API explorer. If you use your accounts API, or go in and create a new app, then use the API given for that, then the key doesn't change every few hours.
The url to request a key is:
http://www.flickr.com/services/apps/create/apply
I got the same problem.
This is how i solved it:
removed the auth_token and the api_sig parameters
replaced the api_key value with an app key
Hope this helps.
i met this issue before. with new api key, only accept https request.
Let's change your url to: https://api.flickr.com/services/rest/?method=flickr.people.getPublicPhotos&api_key.....
I am sure it will be work right know.
thanks