This site uses different types of cookies, including analytics and functional cookies (its own and from other sites). To change your cookie settings or find out more, click here. If you continue browsing our website, you accept these cookies.
Now that it's live, don't forget to accept your certification badge on Credly today! Learn more here.
We are currently experiencing an issue with Email verification at this time and working towards a solution. Should you encounter this issue, please click on the "Send Verification Button" a second time and the request should go through. If the issue still persists for you, please email firstname.lastname@example.org for assistance.
There's really no secure way to do this in a client-side, "serverless", application. Even if you stored them in local files and "called" them as parameters, it would take all of 30 seconds for a determined client to find those keys. Many would suggest creating a back-end service that the keys/calls go through. An example that we currently use for some Alteryx apps with API outputs and custom HTML/JS front-ends is to use a single auth.php file to provide the Oauth strings for the client side SPAs (single-page-apps). Even this isn't fool-proof, as the Oauth strings being sent to the Gallery API can be intercepted/decoded very easily by the client. Keep in mind, the Gallery API only uses Oauth 1.0 authorization which is provided to the API in GET parameters during the call.
In order to completely secure the keys, you would want to have your app make the API calls server-side...
Just to add to this... I've implemented external access on a couple of sites and each time I set up an entirely separate studio on a separate user for that external company, hence their own API key/secret. Then it didn't matter that they could find the key/secret because the only apps that they had access to were ones that were meant for them.
Note: This does restrict you from using the public part of your private gallery though.