Question: We are using Kloudless to enable efficient file uploading from the client side. The Kloudless API Key and account ID will be public from the client side.
Other than setting the trusted domains, is there any way to protect it right now?— Kloudless Developer, Palo Alto CA
Answer: I would definitely not include the Kloudless API Key on the client-side because this creates a security risk. Use the users’ Account Keys instead. Account Keys function the same way as API Keys, but only provide access to the connected account.
Here’s how you can use Account Keys with the File Explorer:
Account Keys can be returned from the File Explorer by setting the “account_key” option to true. They are only returned to Trusted Domains (you can add your domain as a Trusted Domain via the App Details page in the Developer Portal). Once you have the Account Keys set on the client-side, you can use them to make requests. Additionally, Account Keys can also be retrieved via the backend as well.
Account Keys are also useful when you want to show returning users which accounts they have already connected previously. Storing Account Keys for the user gives you the ability to render user accounts on the client-side and pass them in via the “keys” option. All of this happens while instantiating the File Explorer, which will display the corresponding accounts to the user automatically.
This approach protects your Kloudless API Key. If you want to dig deeper into how the Kloudless API handles Account Keys, check out the docs. You can also use the Interactive Docs to list account keys for your account, request Account Keys or get information about Account Keys. If you have any other questions, just let me know. I’m reachable at email@example.com. — Vinod Chandru, VP of Engineering / Co-Founder @ Kloudless
Have any questions about Kloudless or file storage in the cloud? Ping us and ask!