community Alteryx IO Alteryx.com
alteryx Community
Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Close
Free Trial

Dev Space

Customize and extend the power of Alteryx with SDKs, APIs, custom tools, and more.
SOLVED

Security with Gallery Key and Secret

StephenR
Alteryx
Alteryx
‎04-13-2018 01:30 PM

What is the best way to pass the Gallery key and secret using Javascript and the Alteryx Gallery API without having them in the code.  I want to make some workflows available to people outside of our firewall, but do not want to expose those keys.

Regards,
Stephen Ruhl
Principal Customer Support Engineer

Labels:
Reply
0 Likes

Accepted SolutionSolved! Go to Solution.

4 REPLIES 4
Inactive User
Not applicable
‎04-15-2018 07:48 PM

Could call them from a local file that would call them as parameters

Reply
0 Likes
Coxta45
11 - Bolide
‎04-16-2018 03:17 PM

There's really no secure way to do this in a client-side, "serverless", application.  Even if you stored them in local files and "called" them as parameters, it would take all of 30 seconds for a determined client to find those keys.  Many would suggest creating a back-end service that the keys/calls go through.  An example that we currently use for some Alteryx apps with API outputs and custom HTML/JS front-ends is to use a single auth.php file to provide the Oauth strings for the client side SPAs (single-page-apps).  Even this isn't fool-proof, as the Oauth strings being sent to the Gallery API can be intercepted/decoded very easily by the client.  Keep in mind, the Gallery API only uses Oauth 1.0 authorization which is provided to the API in GET parameters during the call.

 

In order to completely secure the keys, you would want to have your app make the API calls server-side...

Reply
KaneG
Alteryx Alumni (Retired)
‎04-26-2018 03:55 PM

Just to add to this... I've implemented external access on a couple of sites and each time I set up an entirely separate studio on a separate user for that external company, hence their own API key/secret. Then it didn't matter that they could find the key/secret because the only apps that they had access to were ones that were meant for them.

 

Note: This does restrict you from using the public part of your private gallery though.

Reply
StephenR
Alteryx
Alteryx
‎04-26-2018 05:17 PM

Thank you @Coxta45 and @KaneG.  Those are good suggestions.  Fortunately we don't use the public portion of our private gallery anyway due to security concerns, so that's not an issue.

Regards,
Stephen Ruhl
Principal Customer Support Engineer

Reply
0 Likes