How should i pass API keys to my backend?

sondredoli · 2024-09-24T07:46:30.943Z

Hi,
I have made an integration where the user enters their username/password to a service.

With this username/password i can get an AccessToken from an API that will be used to connect to the service i want to get data from.

Everything works today, but im wondering how to do this the safest way. I can not run my API call in the frontend becouse i also have a private bearer token that needs to be sent with the auth request.

My solution today is to send username/password to an backend api workflow that stores the accessToken to my database. I use API Connector to connect to my own backend api workflow to make sure the request happens instant, and that i can get an “OK” og “Failed” response in return.

It doesn`t feel safe to pass a password this way. Any thoughts?

sondredoli · 2024-09-24T12:19:12.075Z

For now i ended up with a base64 encode before the API call, and decode it in my api workflow

Zeroic · 2024-09-24T13:47:32.433Z

Yep, this is the ideal way. Just make sure your backend workflow is set up correctly though. There shouldn’t be any unauth access to that if a potential hacker gets your endpoint. Also, the privacy rules for the accessToken field

sondredoli · 2024-09-24T14:26:35.626Z

Endpoint is secured, and privacy rules is strict, so it can only be accessed from backend.

Thanks for your input

redvivi · 2024-09-24T19:54:15.427Z

sondredoli:

For now i ended up with a base64 encode before the API call, and decode it in my api workflow

Base64 has the virtue to preserve any string transformation while being passed.
When it comes to security, base64 encoding doesn’t change anything vs clear text…

sondredoli · 2024-09-24T21:10:08.573Z

Thats true, but it feels safer anyway.

Do you have any suggestions to how it should be handled?

I know many apis send clientkey/client secret as parameters to get an accessToken, and that’s exactly what i do here. The only reason why I’m not so comfortable is because with this service you have to use your username and password to get the access token in return.

redvivi · 2024-09-25T03:27:27.489Z

sondredoli:

Thats true, but it feels safer anyway.

Feelings do not bring any security.

sondredoli:

Do you have any suggestions to how it should be handled?

Unless the service supports OAuth, your current design is the best you may do.

sondredoli · 2024-09-25T04:10:35.354Z

I do agree that feelings don’t make it safer, but my point was that an base64 encoded string always will be safer to pass, than a readable password.

georgecollier · 2024-09-25T08:37:50.886Z

sondredoli:

my point was that an base64 encoded string always will be safer to pass, than a readable password.

VGhpcyBpcyBub3Qgc2VjdXJlISBZb3UgZG8gbm90IG5lZWQgYW55IHBhc3N3b3JkIHRvIHZpZXcgdGhpcy4gSnVzdCBwYXN0ZSBpdCBpbnRvIGEgYmFzZTY0IGRlY29kZXIuIEl0J3MgcHJvYmFibHkgbm90IGV2ZW4gd29ydGggeW91ciB0aW1lLCBlc3BlY2lhbGx5IGFzIHlvdSdsbCBiZSB1c2luZyBwbHVnaW5zIHRvIGRlY29kZSB0aGUgYmFzZTY0IGluIHRoZSBiYWNrZW5kIHdoaWNoIGluY3VycyBXVS4=