Jump to the following:

OS uses cookies to improve this website. Read about cookies

  • twitter
  • Google+
  • facebook

OS OpenData Forum

OS OpenNames API keys

IanDickinson
  • Ian
  • Rating: 7 points Novice
    • 19 August 2015 09:38AM
    • 822 Views
    • Visits: 84
    • Discussions: 7
    • Responses: 8
    • Registered: 4 August 2011 07:53PM
    • Last active: 19 August 2015 10:48AM

    I think I'm missing something fairly basic here. I'm interested in using OS OpenNames on a project we're doing for a client. The app is a JavaScript application, so the API calls will be being made from the web browser, which means that the API key must be visible there. That means that a malicious user could take my API key, and use it on their application, using up my allocation of free transactions.

    The way that this is managed on other OS products, eg OpenSpaces, is that I can register a whitelist of IP addresses or DNS names of the services that are allowed to call the API with that key. So someone else copying my key doesn't gain anything. I can't, however, find a way in the Developer Portal of associating a whitelist of service hostnames with my OpenNames key.

    Am I missing the place to do that, or are we expected to manage Open Names API keys differently?

    Thanks,
    Ian

    3 responses

    OS OpenSpace TeamOS OpenSpace Team
      • 19 August 2015 09:53AM
      • 821 Views
      • Visits: 12,885
      • Discussions: 127
      • Responses: 1,250
      • Registered: 31 January 2008 01:50PM
      • Last active: 23 April 2018 10:16AM

      Hi Ian,

      The key acts as authentication to the account, but it is up to the user to obfusticate the key. The best way of doing this would be to use a server-side language e.g. PHP to make the call to the API, and then return the results of the call to the javascript.

      Kind regards,

      OS OpenSpace Team

      IanDickinson
      • Ian
      • Rating: 7 points Novice
        • 19 August 2015 10:27AM
        • 818 Views
        • Visits: 84
        • Discussions: 7
        • Responses: 8
        • Registered: 4 August 2011 07:53PM
        • Last active: 19 August 2015 10:48AM

        Thanks for your reply. I have to say that's an odd lack of consistency with your other products.

        Clearly I could restrict the API key to being used in a server-side microservice (not using PHP though!), but that then adds significant complexity to the architecture for no appreciable gain. I'm afraid it leads us to the decision not to use Open Names for this project. I hope that's useful feedback to the product team.

        All the best,
        Ian

        rosieperry
          • 6 October 2017 04:37AM
          • 199 Views
          • Visits: 0
          • Discussions: 0
          • Responses: 0
          • Registered: 6 October 2017 04:29AM
          • Last active: 6 October 2017 04:29AM

          My comprehension of the term API Application Programming Interface is to include, alter or change information a web application, in your circumstance I can just expect that you would assemble an application with the application manufacturer that has set substance to be shown that you would just refresh or change by means of the application developer.

          At the point when an API is involved, you can alter this information from an outside source keeping in mind the end goal to refresh the substance. Essay Help | Essay Star written for instance a news site makes an application with the application manufacturer you're utilizing, rather than them signing into the application developer to refresh content all the time they interface the application developer to their own particular site that can utilize the application developer API to then include new stories or alter existing ones.

          That is the main explanation I can assemble of why you would require an API Key for the application, for your situation being a Youth Group you would not require the API Key.

          Please login or sign-up to respond to this discussion.

          © Ordnance Survey 2016