How to make the API Key sticky ?

adevegowda · 10-20-2016 11:15 PM

To test-drive our API from the Dev Portal we allow our users to specify their API key via the 'Custom Token' form. This works fine but it is very annoying that our users have to reenter the API key in the 'Custom Token' form when they change browser tabs or log out of the Dev Portal.

How can we make the API key sticky?

DChiesa

You can modify the smartdocs Javascript code, to store the API key in browser LocalStorage, and then retrieve the apikey from local storage on page reload.

For more on local storage see here.

johannes

Hi Dino! Thanks you for your help.

If I'd go down the javascript route, where would I have to make modifications?
Wouldn't it be somewhat insecure to save the API key in local storage?
I can see all my API keys in the My Apps section of the Dev Portal, do you know if I can access the API keys from javascript? If so, I'd only need to save a hash of the current API key in local storage. That would make it more secure.

Thanks,

Hannes

DChiesa

You'd want to modify the smartdocs model.js, probably. It's located in profiles/apigee/modules/custom/devconnect/smartdocs/local/js/v6/model.js

Whether LocalStorage is secure or not for your purposes, is up to you to decide. There are lots of discussions about the topic, for example here. You've probably read into it yourself.

You cannot retrieve the API keys from JS directly, but you *could* read them from JS from the apps listing page, if/when the user visits it. And THEN you could store all of those keys into localstorage, if you wanted to. I'm not clear on the exact scenario you're going for here, so this may not make sense.

A better way that storing the API key is to store a time-limited token. That way if it gets lost or compromised, the token will be expired, so the window of exposure is smaller. But for that you would need to implement OAuth2.0 security.