Feature Request: Domain and App ID Restrictions for API Tokens

In many applications, API tokens are critical for authentication and ensuring secure communication between services. However, the broad access granted by these tokens can pose security risks if not properly managed. To address this, I propose the implementation of domain and App ID restrictions for API tokens. Here’s how these restrictions could work:

  1. Domain Restrictions:
  • Allow developers to specify a list of allowed domains where the API token can be used.
  • Any request originating from an unlisted domain should be automatically denied, thereby reducing the risk of token misuse.
  1. App ID Restrictions:
  • Allow developers to bind API tokens to specific application IDs.
  • This ensures that the token can only be used by designated applications, adding an additional layer of security.
3 Likes

I second above. this is a really good suggestion.

1 Like

If your API key lands on a device that you don’t control, you’re doing it wrong!

Don’t put the API key in your app! Don’t put it in your website! Don’t push it to your github repo!

You can make an intermediate layer (maybe on firebase or whatever) that does all this stuff, but your API key should never ever leave your systems!

1 Like

Absolutely right but there is merit to some of the information above. Some services block API access when request IP doesn’t match a whitelist. IP can be spoofed though so it’s not entirely secure if the actual server is public.

The second one makes usage a bit more of an annoyance however, even cases where requirements are to hash with a secret key or something else we end up back in the territory of your solution which is simply:

  • Never make API key available.
  • Make use of an intermediary to hide information between the parties.

shrug

1 Like

+1, whitelisting would be nice.

1 Like