4

So I have an app.

Mobile, or JavaScript. Whatever. Windows, Apple, Android. I have a logging API. It has an API key. The app needs to provide that API key before logging anything. One of the things I need to log is login failures! For that reason, I have to have that API key before the user logs in. Where do I store it?

I can't keep the API key in the app, like in the settings file or the source, because that is all available to the user. I can't call to the server for it with OAuth2, because the user hasn't authenticated, so I can't make the hash. I can't store it in the keychain, because the API key will still have the be in the app bundle when it downloads, in order to store it in the keychain.

So, where do I put it?

Bill Sempf
  • 976
  • 2
  • 13
  • 40
  • Is the logging done on a personal level, or just a system log? If the latter, why not some kind of public key to do the secure connection and log? – Kasper Agg Jan 28 '16 at 08:33
  • It's a third party service for logging. If I controlled the service, it would be OK. – Bill Sempf Jan 29 '16 at 15:23

1 Answers1

3

You don't need a user to be authenticated in order for a client to make a secure request to a server for a generic API key. The simplest (unsecure) way for you to do this is build a simple GET restful endpoint in your server (eg: http://www.sempf-overflow.com/logging/key) and the only thing in its response is your API key. Once you have that you can think about ways of making it secure.

You can read the following for more information as well as tradeoffs for different solutions:

Community
  • 1
  • 1
bboyjacob
  • 91
  • 2