Using Private URL keys for easy access to protected resources
A private URL creates a fixed access token that may be used as part of the site URL query to access protected areas of the server without explicitly logging in. You can use private URLs to delegate authority to third-party applications that cannot use OAuth such as feed readers.
Private URLs are good for rapid prototype development as it removes the necessity of implementing OAuth for full authentication. It is however insecure by design, and OAuth should be used for production systems.
Warnings
-
A private URL makes a pin-hole through the security of the site. If someone is able to snoop the traffic, they can access the protected resources using your key.
-
Be careful not to distribute private URLs to any public web sites.
-
A private URL token will give access to all subpaths of the given path. Beware not to give too broad access.
-
Note that you may revoke private URLs at any time. Do so immediately if you have reason to believe your key has been compromised.
Creating a private URL key.
Private URL keys must be created manually for the account it is used for. Log in to the api.obexcode.com site, and navigate to "Private keys" on the main page. Here you can add keys for specific paths.
The input form specifies what path you want the key to be valid for. The key will be valid for this path and all subpaths, so make sure you only specify the paths you want to use.
It is recommended to create as narrow permissions per key as possible, and rather generate extra keys for other paths.
After creating your key, it will show up in your list of keys like this:
| Private key | URL | Created | Actions |
|---|---|---|---|
| ee7be3add81bb569b37a50fb0d2f57049baaf81b | /v2/services/syncml/ | 2009-06-19T11:27:13Z | [ Delete ] |
| 463ad643b1a192d15c58bc6741340d025057cae1 | /v2/services/ | 2009-07-13T15:09:32Z | [ Delete ] |
Using a private URL key.
Accessing a protected resource using a private key is done by appending the following URL query parameter to the URL. (Add it even when using methods like POST, PUT and DELETE).
http://api.obexcode.com/v2/services/?_private=463ad643b1a192d15c58bc6741340d025057cae1
The effect of adding the private key is that the request will be treated as you were logged in for this single request only. Subsequent requests will not be logged in unless the private key is provided for those requests as well.
Revoking a private URL key
If you feel that your key has been compromised, you can revoke the key. Do this by selecting the "Delete" action from the key listing page.
This will remove the key from the system, and thus removing the pin hole.