Dynamic User API Keys

Hi everyone, I am working on building a new application that will assist in trading crypto currencies for users. Right now, the idea is that a user will create an account on our platform, and then connect their Phemex account to our platform using their API Key. The user will then be able to log into their account on our application and view a dashboard that populates their account balance, recent trades, etc -from their Phemex account via API call.

I’ve read a few articles about dynamic apis, their limitations being plaintext in the database, and the possibility of using Oauth or backend workflows to resolve these challenges, however I’m not quite sure where to begin since this is a complicated lift. Would any of you be able to help?

Thanks! - Andrew

When you initialize the API in the API Connector Plugin just make sure to uncheck the box next to the api_key that says Private. That way when you use the API in the app, whether as a Data Source or Action, you will be able to set the API Key as Current User’s api_key.

Hey William, thanks for responding. I have read about this solution, however the issue is that if the user’s api key is set to public, that key would be executed in plain text, which would post a large security risk.

I’m trying to search for a way around this - ie. running it as a backend api workflow.

2 Likes

The way I like to do this for security is to have all the api keys sent to an external database linked with the unique user ID. The record ID of that database is then saved as a user field. Every time the user then wants to make use of that key, we query the database and run the whole workflow away from Bubble so that it cannot be intercepted / seen in the developer tools of a browser. The record ID is the only thing stored in Bubble and on its own, that cannot be misused. This also helps us to store multiple keys for multiple services for the user in one record.

3 Likes