0

I'm working on putting AngularJS on top of an existing Rails API. Part of the authentication process involves passing a "secret key".

I need to pass the secret key in order to authenticate, but I can't think of any way to pass the secret key without actually including it somewhere in the JavaScript.

I imagine this is either a common challenge or we're doing some things way wrong. How can I avoid hard-coding this key?

Improve this question
3
  • If it is on the clientside, there is no secure way to do it. Commented Apr 16, 2015 at 23:11
  • What is the front-end code authenticating with that it needs a secret key? Are there multiple APIs, and it needs to authenticate with a second? Commented Apr 16, 2015 at 23:16
  • 2
    If a secret key is required, the API call should usually be done from the server rather than the client. Commented Apr 16, 2015 at 23:18

2 Answers 2

Reset to default
1

Usually what I have seen is that the client requests a user-specific token from the API and then sends it back over HTTPS on a per request basis.

If the secret key is shared across all clients then you have to do more work. One way to handle this would be to create a proxy that generates and accepts user-specific tokens on the frontend and uses the shared key on the backend. The JS would talk to the proxy.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

There is no possible way to do this without the user being able to figure it out. Even if you don't include it in the js (which is almost impossible in itself), anyone can just use their browser devtools to inspect the network requests and see the key that way.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.