Has anyone successfully used the Photobucket REST API? According to the pathetic docs, it requires OAuth authorization, which would require a consumer key and secret, but registering an app gives you but a single developer key, which I have no idea what to do with.
If you go into photobucket and go to your application and view the details, you will see there is a developer key and what they call a 'private' key. I would assume this is the secret you are looking for. If you manage to make a successful call to the photobucket API, I would appreciate if you could provide the URL you used (anonymize anything private like the signature, of course)
Related
I want to integrate the foursquare API in my website but I'm not that familiar with API security so I want to make sure I'm doing it right.
I want to search for venues in an area like the documentation states:
https://api.foursquare.com/v2/venues/search
?client_id=CLIENT_ID
&client_secret=CLIENT_SECRET
&v=20130815
&ll=40.7,-74
&query=sushi
Using javascript however, I don't feel comfortable that the client secret is exposed in my code like this, because if someone looks at my source they have the client_id and client_secret which makes it possible to authenticate themselves with my code:
https://developer.foursquare.com/overview/auth
Isn't that the same as, "hey look at my source code, my username = "someusername" and my password is "somepassword"?
Shouldn't the "client_secret" remain secret like it says? Or am I looking at it the wrong way?
I think the issue is that you're trying to access the Foursquare API using Javascript, which is executed on the client side, so yes, anybody using your website can, with a little bit of investigation, see the secret key that you're using, which is something that you definitely don't want to do.
The way to get around that is not to access the API using code that is executed on the client side. Whatever language you have building the website on the server side should be the code that accesses the API (using the auth credentials that you have set up) and then returns the results of the API call to the rest of the code.
Alternately, you can get users to authenticate with Foursquare and get an access token, which you can then use in user-specific API calls, and it won't matter if those are executed on the client side. I think this is the relevant page in the documentation for using that method: https://developer.foursquare.com/overview/auth#access
Can anyone guide how to integrate with Silverpop, using OAuth(tokens)?
I referred this link
connecting to web api using c#
and I was able to get access token. After this I don't know how to proceed.
Thanks.
Take a look at my github repo:
https://github.com/marcelluseasley/IBM-Marketing-Cloud-XML-API-Wrapper
It isn't finished, but I started working on an XML API wrapper for the Silverpop API. First of all, if you are trying to integrate with the API, you should be able to contact client support and get a copy of the API PDF.
In any case, you should have a client id, client secret, and refresh token. You will need these three things along with a header value of "refresh_token" for the "grant_type" header key.
So you will first sent a post to https://api(pod number).silverpop.com/oauth/token . This will return an access token in a json dictionary ("access_token").
Any subsequent calls made to the API endpoint (https://api(pod number).silverpop.com/XMLAPI will require that you pass this access token in the header section of your request:
"Authorization:" would be the header key and
"Bearer: (access token)" would be the header value
Looking at my code will make it clearer if you are using Python. Your best bet is to get a copy of the API documentation. You have to be a Silverpop client to get a copy though.
Good luck.
Check the follwing:
http://www.codeproject.com/Articles/758362/SilverPop-Integration
Follow the step by step guide.
I'm building a single-page web application, fully based on RESTful API. I've seen several topics in that matter, but some things remain unclear for me.
I will need users to log in. Here are some of my ideas:
I can send e-mail and password to API and use basic auth. I'm not sure where should I keep password, should it be encrypted and if so: how?
Can I use built-in session system instead? Is it wrong to use cookies directly in the RESTful API? Why is it so popular to send credentials/keys to API itself instead of using cookies?
I thought about having one API key per user, return it in login action and keep it in localStorage. I guess it's not the greatest idea to have just one key per user?
Then, I came up with idea to have separate keys table and add random keys each time somebody logs in. On logout, the key would go away and no longer be valid. This is more secure than previous idea.
How is it solved in simple projects? I'd like to make it simple but not ridiculously inserure.
Please help.
The commonly approach is to use the header Authorization in REST. The state of the application must be on the client side with REST and shouldn'a be tied to a particularly client kind (browser with cookies)
I think that this link could be helpful:
Implementing authentication with tokens for RESTful applications : https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/
There is also à great question to à similar question here : https://softwareengineering.stackexchange.com/questions/141019/should-cookies-be-used-in-a-restful-api
Hope it helps,
Thierry
Please someone explain me how to use an api key and what is it good for.
I have searched a lot about this and I got different and conflicting answers. One says that an API key is kept secret and its never sent as the part of the communication, while others send it to the client without any encryption. What is the client's signature? How can he generate it and what can do the server with it? Why should monkeying with api keys instead of using the good old username-password pair? Could someone explain me how the communications look between a client (Android device) and the server (php api) in detail.
I'd appreciate any good tutorials, code samples, and explanations for beginners.
The topic of API authentication is a complex one. Below I'm going to do my best to explain one part of the issue: why is an API key better than a username / password?
Here we go.
When building (or working with an API), a common question developer's ask is "Why does this service require an API key instead of my username and password?" It's a great question!
First, let's talk about what API keys typically are.
API keys are usually randomly generated strings of letters and numbers. Furthermore, an API key typically comes in two parts: an ID and a secret. If you're using a web service like Stormpath, for instance, you might have two API keys that look like this:
API_KEY_ID=kzjbOg3iOm4k4MRpBss76yxlZSPJtoOPaqxirsfX
API_KEY_SECRET=A8FnQWM7RpgGjU3sZjOUgMIq5t8mvAhQES9iE30S
You can think of an API key ID as a username. This is a globally unique identifier which allows the API service to find your account.
You can think of an API key secret as a password. This is a password that, when matched up with the correct API key ID, will grant you access to the API service in question.
The main reason you WOULDN'T want to use a username and password to authenticate against an API is that:
Even if the API is served over SSL, there are many exploits available which can compromise your credentials. If you used your username / password to log into API services, and an attacker grabs these credentials, they have access to your account as a whole.
If you use your username / password to authentication against an API, what happens if one of your servers / API clients is compromised? This means you need to reset your username / password and update it for all of the clients which are using it. This can be time consuming, and costly.
By using a username / password, you're usually restricting yourself to a certain type of API usage. By having API key pairs, you're able to separate out API credentials to different levels of access (maybe on key pair can only access certain data, while another can access other types of data).
API key pairs are, in general, a much better idea. In addition to the obvious security benefits, they also serve other purposes:
If an API key pair is leaked, you can usually create / cycle API key pairs without needing to update every single client you own.
You can use API key pairs to provide sub-account functionality for your API.
Hope that helps!
have a look at this
REST authentication and exposing the API key
Why do some API providers require an API key?
And study a lil about Oauth
I have managed to get an access token from the twitter api. Now I want to use that token for my further data fetching things, so please help me here to get the details of my twitter account.
For example, lets say I wanted to get the user's data, so when I tested this in apigee console, I got my result.
But how to get the same result, using same api, by hitting on a browser using the access token
something like this
Please help
It's a little more complex than the URL you suggested, but you can use Twitter's OAuth tool to generate the OAuth signature you need to make requests to its Home Timeline API call.
You can find the OAuth tool here:
https://dev.twitter.com/docs/api/1.1/get/statuses/home_timeline#oauth-tool
it's not like that when making twitter api calls you need to send consumer key, consumer secret, your_access_token and your_access_token_secret together
Eg: oauth_consumer_key="KEY",oauth_signature_method="HMAC-SHA1",oauth_timestamp="TIMESTAMP",oauth_nonce="NONCE",oauth_version="1.0",oauth_token="YOUR_TOKEN",oauth_signature="SIGN"
Source: https://twittercommunity.com/t/getting-the-user-details-using-access-token/6325/3