Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Alteryx Designer Desktop Discussions

Find answers, ask questions, and share expertise about Alteryx Designer Desktop and Intelligence Suite.
SOLVED

Tips for protecting or obfuscate API keys/credentials in Download tool

mcha54
8 - Asteroid

We are starting to use the Download tool more and could potentially share out our workflows. Are there any best practices or tips on protecting or keeping them hidden? The workflow would still need to be runnable with the API key.

5 REPLIES 5
Harbinger
9 - Comet
I’d wrap the entire download tool in a standard macro. This actually can be a good idea anyhow as often times you’ll spend about 10/15 tools parsing the json,xml, or other data that is returned. So, to the end user it will just show up as a single tool magically pulling in data from the api.
danilang
19 - Altair
19 - Altair

Hi @mcha54 

 

@Harbinger idea is a good one, but converting to a macro can be time consuming and there's nothing stopping the user from right-clicking on the macro and opening it in designer where your API keys will be visible  Instead, you can just convert your workflow to an analytic app.  Then export your new app(Options->Export Workflow) with encryption.  

 

Encrypt.png

 

Make sure you have suitable output options set in the interface designer.  

 

Interface.png

 

Attached is the analytic app that I exported with encryption for the following simple workflow

 

WF.png

 

When you run it, all you get is the interface.  The guts of the workflow is encrypted.  All that readable in the workflow XML is some interface/system related info

 

A word of caution:  Alteryx encryption is one-way.  Once the workflow is encrypted, it can't be edited by anyone, even the person who encrypted it.  Save the original somewhere 

 

 

   Dan

 

Claje
14 - Magnetar

The main challenge for any request like this is that it is at best obfuscation.  Because of the nature of API requests (traffic is sent from the machine running the request), any technology which is requesting data from an API using a local device will inherently allow a sufficiently motivated user to identify the API key.

 

If the security of these API keys is truly a requirement, you would likely need to involve a technical team, and likely an (internal) server to handle the actual API requests.

 

A few thoughts on how to accomplish this:

An Alteryx workflow published to Alteryx Server could maintain the API key and have a payload defined by the user.  You could then use the Alteryx Gallery APIs to execute and pull results from this process.

A server with a self-built API that mirrors the desired destination API, and manages the API key.  This server would receive an API request and essentially "pass" this query on to your desired end location, including the API credentials, and would then return the expected response data.

If all you need to do is prevent a user from accidentally gaining access to the API key, then the other options presented in this thread will definitely help to meet this need.

mcha54
8 - Asteroid

Thanks everyone for the feedback and solutions! Definitely needs some thought to implement.

MuggleJosh
5 - Atom

We make individual users get their own api keys and then include the key as a macro input/config. That way the activity is always traceable to the user and there is not underlying key to be stolen. Usually these keys will have less access than other production/integration keys. 

Labels