Working with Kasabi API Keys

Posted on 02/20/2012 by

0


You signed up for a Kasabi account and have started developing a client side application (e.g. a javascript and HTML based webapp), but you have just realised that for every API call you make, you are going to have to give your api key. You have also realised that you will need to make this key a variable in your app, and that means that your key will be out there in the wild and open to potential abuse.

So what to do?

You could go down the code obfuscation route. And while it doesn’t protect you from a determined hacker, it does mean that the casual browser of code (if is there such a person!) will not immediately know he is looking at your key. But really it can’t be a long term solution.

Proxy

One alternative option is to use your web host to proxy all requests to Kasabi. If you are running an apache instance, then here is a config file that should work for you. You will still need to authenticate with your proxy, as you don’t want someone finding it and using it willy nilly.

This example proxy configuration is matching all requests to a certain directory (which doesn’t need to exist on disk) and passing those requests on to the kasabi api servers. The key thing here (pun intended) is to use the RequestHeader directive to set the X-KASABI-APIKEY in the forwarded request. The beauty of this is that the additional header will only be sent in the request and not passed back to the original caller.

NameVirtualHost *
<VirtualHost *>
  ProxyRequests Off
   <Proxy http://127.0.0.1/*>
      Allow from all
   </Proxy>
   <LocationMatch "/kasabi">
      ProxyPass http://api.kasabi.com/
      ProxyPassReverse http://api.kasabi.com/
      RequestHeader set X-KASABI-APIKEY "MySecretAPIKey"
   </LocationMatch>
</VirtualHost>

This approach can also be used (as in our example) to run a proxy on your development machine.

Environment

Another approach (assuming you have some code running on your server) is to have the key in your user environment.
Add the following to your user’s .profile:

KASABI_API_KEY=123YOURKEY123 ; export KASABI_API_KEY

The following code would get the key in PHP:

$kasabi_api_key = getenv('KASABI_API_KEY');

I would be interested in whether these approaches work for you. If you have another approach, then maybe we can showcase that too.

Posted in: Uncategorized