How to hide javascript API access data?

Question

How to hide javascript API access data?

Navigation

#1 by (0 votes)
#2 by (0 votes)

-2

How do I hide this information as a parameter for the token request? the way that anyone can see and can not

var chaveToken = {
                "grant_type": "password",
                "username": "[email protected]",
                "password": "xxxxxxxxxx@121111"
            };       
    var token;

            $.ajax({
                url: 'http:/xxxxxx.com.br/token',
                async: false,
                contentType: 'application/x-www-form-urlencoded',
                type: 'POST',
                data: chaveToken,
                success: function (data) {
                    token = data.access_token);                        
                }
            });            


        $.ajax({
            url: 'http://xxxxxx.com.br/obterlistasreembolso',
            async: false,
            beforeSend: function (xhr) {
                xhr.setRequestHeader('Authorization', 'bearer ' + Token);
            },
            success: function (data) {
               bla bla bla
            }                
        });

jquery web-service token

asked by anonymous 30.06.2016 / 20:46

2 answers

How do I get the calendar started on Monday? How to check if the latency of ip is greater than 0?

score 0 · Answer 1

0

As @bfavaretto commented, there is no way to hide those credentials by using API in javascript. To do this, use the server-side version of it.

01.07.2016 / 15:08

score 0 · Answer 2

How this is client-side can not hide. What you have to do is get the token through the server (server-side) using some language like PHP, ASP, ASP.NET, Java / JSP, Javascript (if it is through Node.js) and then you go to the page only the token already obtained.

If even the token can not be seen by the user then you should modify your application to act as a proxy for the API, where the user calls "actions" in your application and then it consumes the API of the service you are using there in JS.

Just be aware that the token can be generated based on the IP of the request, so if you generate the token by the server-side, the token will be generated for the IP of your server and if you choose to first alternative to pass only the token to the page, when the user makes the request with the token, the request will be by his IP (since it is client-side) and therefore the API can inform that the token is not valid this you discover through the API documentation or even testing), in this case you will be required to make the second alternative, turning your application into a server-side proxy for the API.