How to hide javascript API access data?

Question

How to hide javascript API access data?

Asked 8 years, 4 months ago

Viewed 961 times

-2

How do I hide this information that I pass as a parameter to the token request? the way anyone can see and cannot

var chaveToken = {
                "grant_type": "password",
                "username": "[email protected]",
                "password": "xxxxxxxxxx@121111"
            };       
    var token;

            $.ajax({
                url: 'http:/xxxxxx.com.br/token',
                async: false,
                contentType: 'application/x-www-form-urlencoded',
                type: 'POST',
                data: chaveToken,
                success: function (data) {
                    token = data.access_token);                        
                }
            });            


        $.ajax({
            url: 'http://xxxxxx.com.br/obterlistasreembolso',
            async: false,
            beforeSend: function (xhr) {
                xhr.setRequestHeader('Authorization', 'bearer ' + Token);
            },
            success: function (data) {
               bla bla bla
            }                
        });

4

If you cannot expose the data, do not use this API by Javascript. Request with a server-side language.

– bfavaretto

2016/06/30 at 18:47
2

Maybe I was not clear in the previous comment: in JS there will be no way to hide this data.

– bfavaretto

2016/06/30 at 19:06

2 answers

Browser other questions tagged jquery web-service token

You are not signed in. Login or sign up in order to post.

by Guilherme Branco Stracini • **654** points · Answer 1 · 2017-01-14T21:04:56+00:00

Since this is client-side, you can’t hide it. What you have to do is get the token through the server (server-side) using some language like PHP, ASP, ASP.NET, Java/JSP, Javascript (if it is by Node.js) and then you pass to the page only the token already obtained.

If not even the token can be seen by the user, then you must modify your application to act as a proxy for the API, where the user calls "actions" in your application and then it consumes the API of the service you are using in JS.

Just note the fact that the token can be generated based on the IP of the request, so if you generate the token by the server-side, the token will be generated for the IP of your server and if you choose the first alternative to pass only the token to the page, when the user requests with the token, the request will be by his IP (since it is client-side) and so the API can inform that the token is not valid (this you find out by the API documentation or even by performing tests)in which case you will be required to do the second alternative, turning your application into a proxy for the API by the server-side.

by Marcelo de Andrade • **7,261** points · Answer 2 · 2016-07-01T13:08:17+00:00

As @bfavaretto commented, there is no way to hide these credentials using the API in javascript. For this, use the server-side version of it.