Being safe with your API tokens

A token is the secret part of your API security. It should not be let into the wild or given to others just like a password. Even though others cannot use it to do their own things, if they know what your secret token is right now they can create traps for you with it. They could put an attractive url in a page and entice you to click on it, while underneath is really a url that deletes your own blog which they crafted with your token.

So keep your tokens safe. If you must hard code them somewhere for your own work, do so only in private thoughts in a private group.

And if you suspect your token is compromised or just want to feel safe or after your work is done, simply log out of the domain and back in. That will give you a whole new secret token.


  1. api
  2. token


Si says
And incidentally, this same scenario applies to ANYTHING in the system, not specifically to the API. As I have been saying many times, the whole system needs a full security review done from a standard security review checklist. I make things relatively safe when I work on code, but there is more to all the aspects of full site security than one developer can keep in their head all the time.  

Holmes says
seth of group seth 2016-03-01 07:21:21 [item 20214#47302]
What prevents a phisher writing a  HTML form on whatever server under a submit button falsely advertising to you, which then retrieves your current token and  does a put for with your credentials? 
nathan of group nathan 2016-03-01 07:28:34 [item 20214#47303]
That is an xss attack. Since the API is not jsonp, the browser xss security should be preventing that from happening automatically.

However, it would not hurt to do an extra ip address check so that server proxied xss attacks can be avoided too. Good point.
seth of group seth 2016-03-01 07:46:40 [item 20214#47307]
well the ip address of the person clicking the phishing button would be the same ip address of the person with the credintials.   they just think they are doing something which they are not.
Poe of group da 2016-03-01 07:49:09 [item 20214#47308]
When they are the same, then it is the browser and normal xss security is in effect. When the the ip is different, then it could be a proxy pretending to be the browser and should not be trusted.
seth of group seth 2016-03-01 08:32:21 [item 20214#47323]
well you may or may not be missing my point.  omg, i might need to write code to make my point to you  … or alternative convince myself that it cannot be done. 
Poe of group da 2016-03-01 08:38:19 [item 20214#47324]
Yes. Well what you describe is classic phishing and was what xss restrictions in browsers were created for. It is part of why a browser cannot actually be logged into two places at the same time. But go ahead. There is always room for another hacker on the web finding a new attack.
seth of group seth 2016-03-01 08:43:35 [item 20214#47325]
well i can see the challenge were the form submitted to a different domain … but what if the form was submitted to a place in the same domain.   How would any client browser even know the difference?  So if that is true, then we are relying on the inability of a person to script in this domain … and not some xss protection in the browser.  right?  … or not right?
Yes. If it is the same domain, then some aspects of it would work. But seriously, if anyone can write server side scripts “in your domain” then you have a way bigger problems than phishing a token! Browser side is not good enough … you have to be “logged in” to get the token and the server has to cooperate in order for another party to get the information … again “xss”.

See Also

  1. Thought about: Postman with 149 viewings related by tag "api".
  2. Thought GitHub GUI for an API ... with 18 viewings related by tag "api".
  3. Thought now we have 4 mapping systems with 4 viewings related by tag "api".
  4. Thought Of Interest ? with 2 viewings related by tag "api".
  5. Thought about: Re: Business Of Linked Data: Opportunities re., Smart Agents (Bots) with 1 viewings related by tag "api".
  6. Thought The Graph API with 1 viewings related by tag "api".
  7. Thought Graph API GET Commands with 1 viewings related by tag "api".
  8. Thought about: Micro Persuasion: Blog Directly from Firefox with 0 viewings related by tag "api".
  9. Thought about: Google Data APIs Overview with 0 viewings related by tag "api".
  10. Thought about: ProgrammableWeb: Web 2.0 API Reference with 0 viewings related by tag "api".
  11. Thought Will the real Web2.0 stand up? with 0 viewings related by tag "api".
  12. Thought about: Google Maps API with 0 viewings related by tag "api".
  13. Thought about: Building your commercial Virtual Earth Website using PHP with 0 viewings related by tag "api".
  14. Thought about: Amazon Web Services with 0 viewings related by tag "api".
  15. Thought Google Maps API info with 0 viewings related by tag "api".