Now that it's live, don't forget to accept your certification badge on Credly today! Learn more here.
We are currently experiencing an issue with Email verification at this time and working towards a solution. Should you encounter this issue, please click on the "Send Verification Button" a second time and the request should go through. If the issue still persists for you, please email support@alteryx.com for assistance.

Dev Space

Customize & extend the power of Alteryx. SDKs, APIs, custom tools, and more!
SOLVED

Security with Gallery Key and Secret

StephenR
Alteryx
Alteryx

What is the best way to pass the Gallery key and secret using Javascript and the Alteryx Gallery API without having them in the code.  I want to make some workflows available to people outside of our firewall, but do not want to expose those keys.

Regards,
Stephen Ruhl
Customer Support Engineer

4 REPLIES 4
Inactive User
Not applicable

Could call them from a local file that would call them as parameters

Coxta45
11 - Bolide

There's really no secure way to do this in a client-side, "serverless", application.  Even if you stored them in local files and "called" them as parameters, it would take all of 30 seconds for a determined client to find those keys.  Many would suggest creating a back-end service that the keys/calls go through.  An example that we currently use for some Alteryx apps with API outputs and custom HTML/JS front-ends is to use a single auth.php file to provide the Oauth strings for the client side SPAs (single-page-apps).  Even this isn't fool-proof, as the Oauth strings being sent to the Gallery API can be intercepted/decoded very easily by the client.  Keep in mind, the Gallery API only uses Oauth 1.0 authorization which is provided to the API in GET parameters during the call.

 

In order to completely secure the keys, you would want to have your app make the API calls server-side...

KaneG
Alteryx
Alteryx

Just to add to this... I've implemented external access on a couple of sites and each time I set up an entirely separate studio on a separate user for that external company, hence their own API key/secret. Then it didn't matter that they could find the key/secret because the only apps that they had access to were ones that were meant for them.

 

Note: This does restrict you from using the public part of your private gallery though.

StephenR
Alteryx
Alteryx

Thank you @Coxta45 and @KaneG.  Those are good suggestions.  Fortunately we don't use the public portion of our private gallery anyway due to security concerns, so that's not an issue.

Regards,
Stephen Ruhl
Customer Support Engineer