This week’s feature update is all about keys! Keep your API authentication secure with API keys and user authentication secure with custom OAuth keys.
API Key Rotation
Have you ever accidentally published your API key to an insecure location such as GitHub or email? Developers can now simply swap it out for a new key. Generate new API keys and deactivate older ones via the App Details page to conform to your organization’s key rotation policies or to protect against any security incidents.
Custom OAuth Keys
Kloudless developers have the option of importing their own OAuth keys to authenticate users. In contrast to the default keys used by Kloudless, custom OAuth keys enable your application to identify as itself when requesting access to a user’s account. You can modify the OAuth keys used by your application without invalidating tokens created for accounts connected with the previous set of OAuth keys. Visit the Credentials page for more information when switching keys for a cloud storage service.
Try out API key rotations and custom OAuth keys for yourself by logging into your developer account. Not using our universal storage API yet? Sign up for your free account here.
Question: We are using Kloudless to enable efficient file uploading from the client side. The Kloudless API Key and account ID will be public from the client side.
Other than setting the trusted domains, is there any way to protect it right now?— Kloudless Developer, Palo Alto CA
Answer: I would definitely not include the Kloudless API Key on the client-side because this creates a security risk. Use the users’ Account Keys instead. Account Keys function the same way as API Keys, but only provide access to the connected account.
Here’s how you can use Account Keys with the File Explorer:
Account Keys can be returned from the File Explorer by setting the “account_key” option to true. They are only returned to Trusted Domains (you can add your domain as a Trusted Domain via the App Details page in the Developer Portal). Once you have the Account Keys set on the client-side, you can use them to make requests. Additionally, Account Keys can also be retrieved via the backend as well.
Account Keys are also useful when you want to show returning users which accounts they have already connected previously. Storing Account Keys for the user gives you the ability to render user accounts on the client-side and pass them in via the “keys” option. All of this happens while instantiating the File Explorer, which will display the corresponding accounts to the user automatically.
This approach protects your Kloudless API Key. If you want to dig deeper into how the Kloudless API handles Account Keys, check out the docs. You can also use the Interactive Docs to list account keys for your account, request Account Keys or get information about Account Keys. If you have any other questions, just let me know. I’m reachable at firstname.lastname@example.org. — Vinod Chandru, VP of Engineering / Co-Founder @ Kloudless
Have any questions about Kloudless or file storage in the cloud? Ping us and ask!
The developer portal’s App Details page now allows you to upload your app’s logo for display to users using the File Explorer and Authenticator UI Tools — custom branding for the win!
Another option now available through the File Explorer is “copy_to_upload_location”, which allows you to save all user-selected files to an S3 location of your choice, for collection or further processing. It also accepts an option “keys” that can provide a list of Account Keys that will pre-populate the File Explorer with accounts. This is useful for applications that want users to always have their accounts accessible by the File Explorer, even if the browser’s session data is cleared.
See how your users can create new folders via the File Explorer in “How to create folders in the File Explorer”.
Working on interesting things? Want to be featured in Dev Logs? Email us and get hooked up — we love sharing what our community is working on!
Share what you would build using the File Explorer below, on Twitter or on Facebook. Email us the love or hate at email@example.com!