Jump to the following:

OS uses cookies to improve this website. Read about cookies

  • twitter
  • Google+
  • facebook

OS OpenData Forum

OS OpenNames API keys

IanDickinson
  • Ian
  • Rating: 7 points Novice
    • 19 August 2015 09:38AM
    • 891 Views
    • Visits: 84
    • Discussions: 7
    • Responses: 8
    • Registered: 4 August 2011 07:53PM
    • Last active: 19 August 2015 10:48AM

    I think I'm missing something fairly basic here. I'm interested in using OS OpenNames on a project we're doing for a client. The app is a JavaScript application, so the API calls will be being made from the web browser, which means that the API key must be visible there. That means that a malicious user could take my API key, and use it on their application, using up my allocation of free transactions.

    The way that this is managed on other OS products, eg OpenSpaces, is that I can register a whitelist of IP addresses or DNS names of the services that are allowed to call the API with that key. So someone else copying my key doesn't gain anything. I can't, however, find a way in the Developer Portal of associating a whitelist of service hostnames with my OpenNames key.

    Am I missing the place to do that, or are we expected to manage Open Names API keys differently?

    Thanks,
    Ian

    2 responses

    OS OpenSpace TeamOS OpenSpace Team
      • 19 August 2015 09:53AM
      • 890 Views
      • Visits: 12,885
      • Discussions: 127
      • Responses: 1,250
      • Registered: 31 January 2008 01:50PM
      • Last active: 23 April 2018 10:16AM

      Hi Ian,

      The key acts as authentication to the account, but it is up to the user to obfusticate the key. The best way of doing this would be to use a server-side language e.g. PHP to make the call to the API, and then return the results of the call to the javascript.

      Kind regards,

      OS OpenSpace Team

      IanDickinson
      • Ian
      • Rating: 7 points Novice
        • 19 August 2015 10:27AM
        • 887 Views
        • Visits: 84
        • Discussions: 7
        • Responses: 8
        • Registered: 4 August 2011 07:53PM
        • Last active: 19 August 2015 10:48AM

        Thanks for your reply. I have to say that's an odd lack of consistency with your other products.

        Clearly I could restrict the API key to being used in a server-side microservice (not using PHP though!), but that then adds significant complexity to the architecture for no appreciable gain. I'm afraid it leads us to the decision not to use Open Names for this project. I hope that's useful feedback to the product team.

        All the best,
        Ian

        Please login or sign-up to respond to this discussion.

        © Ordnance Survey 2016