Read-Only API Key for security


I’m working on a mobile app for our station that lets people listen in to our live broadcast, and I was going to add in a feature where it shows the currently playing song using the spinitron API. However, I’d need to use the API key to authenticate it, which either means putting it in the app (which then means making the API key public) or putting it in layers of backend that the app would connect to first (which someone could still connect through and get to the key eventually).

Since I don’t see any way for the key to be totally obscured, I was wondering if there was a way to make a key that only has read access to the API? Like, it can’t use the /post endpoint to add songs to the playlist? Then it wouldn’t be an issue if people are able to see and use the key.

I don’t really think that any of the people using the app would ever go through and get at the key, and even if they did I don’t think people would have an interest in adding songs to our playlists, but I don’t want to be the source of a security issue for our station nonetheless.

Thanks, Blake

Hi Blake, thanks for joining the forum and asking.

We are not only trying to protect Spinitron from unauthorized injection of spins, we expect web and mobile app authors to write their apps so that the client fetches data from their server. Please read the Terms of service for Spinitron API.

Partly we want to distribute some request load away from Spinitron’s servers. But there are other reasons too.

Server-side data caching is an important optimization for any such app. But the cache policy really needs to be part of the app’s design. Spinitron cannot implement a cache that’s both efficient and suitable for everyone’s app. That’s why we have no caching on the API and you have complete control.

And web apps can avoid cross-origin requests if the client scripts fetch data from their own servers.

So, in the implementations that we expect, the API key need be deployed only on their back-end servers where it can easily be secured. And you might reasonably decide that the endpoints that your app uses to fetch data from your server need no auth at all.

The API demo site shows how easy it is to implement such a caching back end for a service that displays recent spins and upcoming shows.

Btw, if you have already distributed the station’s key, please let me know so I can regenerate it.

Ok, I will make my own back-end for it. I have not distributed the key so no need to regenerate it! Thanks for the offer though.