I have been researching the Airbnb API and have started working with it and making some requests. Some API calls such as calendar_months require an API key:
https://www.airbnb.com/api/v2/calendar_months?key=your_api_key&listing_id=17794278&_format=with_price
I know that your API key can be found in the meta tags, or by inspecting requests in the browser (How to acquire API key for Airbnb). This is fine, and I've successfully located my API key.
My concern is that this key does not appear to be unique. I've retrieved the API key from multiple computers on multiple networks with separate IP addresses -- even from a server in another country with no association to my previous Airbnb activity. I always find the same API key: d306zoyjsyarp7ifhu67rjxn52tv0t20
I'd normally never post the key for my account somewhere (obviously), but it's clear that this API key is not unique to me. A quick google search shows that many people are already using it:
https://www.google.com/search?q=d306zoyjsyarp7ifhu67rjxn52tv0t20
You can find the same situation with API key 3092nxybyb0otqw18e8nh5nty. This one I initially found in the old unofficial airbnb api docs (Does you have a copy of a documentation of unofficial AirBnb API?) so it's understandable that some people might have found it there and started using it.
I've searched extensively to find some discussion on this, but I can't find anything and I have a number of questions about this:
Look up your own API key and do a google search for it -- is anyone else sharing your key?
Do you receive different keys on separate computers / networks?
Why would Airbnb require a key for certain requests, if the key does not to uniquely identify the user?
Is there something I'm overlooking which would allow them to identify me even though many people are sharing this key?
How can I acquire a truly unique API key?
Why is no one talking about this?
Thanks!
I have check my airbnb API Key again, it is the same with yours: d306zoyjsyarp7ifhu67rjxn52tv0t20
Just Before I looked this question, I thought this key is unique to my account.
Look up your own API key and do a google search for it -- is anyone else sharing your key?
No one is sharing your airbnb key, and everyone is sharing this key.
Do you receive different keys on separate computers / networks?
No. I have checked in different computers/networks
Why would Airbnb require a key for certain requests, if the key does not to uniquely identify the user?
I have found that Airbnb use IP address to identify different user.
Is there something I'm overlooking which would allow them to identify me even though many people are sharing this key?
I guess there are another parameters help airbnb to identify different users. But I didn't find yet.
How can I acquire a truly unique API key?
Don't Know. Only the Airbnb Engineering Team knows.
Why is no one talking about this?
I thinks everyone will think this key is unique to him/her.
Related
it looks like if I'd like to enable key restrictions for Android and iOS app the only way is to use Application restrictions with 1 key being used on both platforms?
I'm having 1 Google Maps Key being used on Android and iOS, and what I can find in the GCP -> APIs and services -> Credentials, is the choice between one of those, I can't select both platforms.
Would it be correct? If yes, then it'd be better to create 2 separated keys rather than limiting on the Application restrictions level? My application is React Native with react-native-maps package for Google Maps and it's quite natural to use 1 codebase, also 1 API key.
It's technical also possible to use 2 keys*, but next time when releasing on Web and Desktop, I'll need to use yet another keys. Eventually, ending up with 4, instead of 1, which simplifies key management.
*I'll only need to change the reference to a different variable https://github.com/tamotam-com/tamotam-app/blob/master/ios/TamoTam/AppDelegate.m#L36 and/or https://github.com/tamotam-com/tamotam-app/blob/master/android/app/src/main/AndroidManifest.xml#L20
API security best practices
"API keys are required for apps and projects that use the Google Maps Platform APIs and SDKs. For maximum security and minimal effort, secure your API keys when you create them.
While it is possible to secure API keys after they're created and in use, there can be different constraints based on how the key is used. Updating or replacing keys in mobile apps (Android and iOS) are the most complicated, since the keys won't all be replaced until all customers update their apps. Updating or replacing keys in JavaScript or Web Service apps are much more straightforward, but updating or replacing these keys still may require careful planning and fast work."
It is considered as best practice when you Use seperate API keys for each app
The reason would be because:
"This limits the scope of each key. If an API key is compromised, you can delete or regenerate the impacted key without needing to update your other API keys."
Simplified key management could cost you security. So having 4 keys instead of 1, is still better most especially if your key was compromised.
Hope this helps.
Currently working on a python project, and am trying to get it usable enough to the point where I could share it with other people on platforms like reddit or github. However, I can't go sharing around the API. Is there any way to include the API key but hide it somehow so it is simultaneously usable and still hidden from any users who download my repository?
There is not a way to have an API key be shared so it's both usable and private. If you can't share the API, then you'll just have to keep it to yourself.
I've been looking through several ready-made vue components for autocompleting search using Google api. For instance this one and that one. And it seems to me that all of them let the user have an access directly to their Google Places API key (at least I can see it just in a page source of their demo sites).
Is it a right approach? How to deal with the fact that someone can take this key and quickly exceed the quota? Sorry for the naive question.
seems the best solution for the frontend only is to restrict your API key, which can be easily spoofed. Alongside other solutions that Google suggests are [link]:
Restrict your API keys
Independent API key per app
Delete API keys no longer needed
Exercise caution when regenerating keys
Monitor API key usage for anomalies
unless you could manage to implement a backend API version of it and query your backend API instead of Google API and then you could practice some solutions like rate limit on your backend API.
I was looking at the Google Fonts Developer API, where you can programatically query the Google Fonts catalog and get some JSON results. You have to get a an API key through Google to use it.
I want to create an extension/plugin for a text editor where you can query the Google Fonts catalog using this API. I would plan on distributing this plugin for anyone to use.
However, in order for it work, I obviously have to sign up for an API key and include that in the code for the plugin so it gets distributed also.
I know that API keys like this as not secret passwords or anything like that, but should they be distributed like this? If one was to build something like this, this seems like the only way to do it.
What happens if someday my own Google account is compromised? What if I need to refresh the API key for some random reason, etc? Then all those users of the plugin would be out of luck since the plugin is using an old key.
What is the best approach to this type of problem? I was planning on having the API key to be "editable" in the plugin so that one could use their own key if they wished, but I don't want that to be a requirement because it just creates a higher barrier to entry.
How to get the API key for the authentication purposes for posting the request to get the email previews using Litmus?
There are actually a few different Litmus Preview APIs to cater to different use cases. We're in the process of simplifying this, partly in the hope of making the experience for a new API user a little more obvious.
If you reach out to hello#litmus.com we'll direct you to the appropriate API version and how to obtain your key.