How secure is API Data Source?

Wappler General Need Help
1

Hi everyone!

I’m creating an ecommerce page and I’m using GET request to load the products into my page from an external app. The thing is, after reading the documentation regarding the API Connector, I was concern about this paragraph:

WARNING WARNING WARNING : API Connector is client side only and runs in the browser! The API key or Authentication you use will be easily visible to the user! So you should only use limited API keys for public sites or make sure your site is absolutely secured for restricted use only . For example using the Security Provider Enforcer.”

I would like to not expose my API key, but I’m not really sure of how “API Data Source” works, also the data isn’t really “private” because is a webstore, but I’m worried that any malicious person would write a script and do many requests collapsing my app.

Can someone please tell if my concern makes sense and how can I address this issue?

2

If you're displaying readily available information such as product name, price, image etc. from a third party api that does not require authentication, then you could safely use the API data source in app connect.

1 Like
3

The answer to your question is quite simple and straighforward. If you are dealing with and sending private api keys or secret keys in your API calls - use the server side API tools. This way they are sent on the server side and not exposed to the client side.
If you are dealing with public keys, then you can use client side API tools.

1 Like
4

That is what I was missing! Sorry I’m a newbie, could you tell please if this is the one you are refering to (as I said I’m new here so I’m getting used to Wappler’s UI :sweat_smile:):

image
image413×997 26.7 KB

Also, do I have to include somehow the Security Provider?

Thank you!

5

Yeah, I didn’t express myself very well, the other app is mine as well and don’t want to expose/make public my endpoints or my API keys anywhere, just realized that you wappler does provide a server side API connection, but thanks any way, appreciate it!

1 Like
6

Yes, that is the server side api action.

The Security Provider along with Security Restrict is how you restrict access to the entire server connect file itself. If the permissions are not granted, then the file will not execute.

1 Like
7

Thanks!!