Is There Any Security Around API Key?

timrowell

Asked on November 6, 2015 at 6:20 AM

Hello,

We would like to build our own frontend around the Jotform API and integrate our forms with other third party services. Currently, we are considering using POST /form/{id}/submissions on the client side. Are there any security considerations to be wary of? If the api key is exposed on the frontend could someone use it to view other submissions?

Many thanks, Tim
mert JotForm UI Developer

Replied on November 6, 2015 at 9:25 AM

Hi Tim,

Normally, it is not possible; but if you have security concerns, you can change its permission settings to "Read Only".

Each generated API Keys comes with permissions. Read Access permission to read only private information and Full Access permission to grant them with full access to your data, e.g. add, edit, delete form submissions.

For more information about Jotform API, please visit Jotform's API Documentation page. http://api.jotform.com.

If you need more information, please let us know.

Thanks.
timrowell

Replied on November 6, 2015 at 10:49 AM

Hi Mert,

Thank you for the reply. I am still confused about a couple of things.

>> Normally, it is not possible

What is not possible? Viewing the submissions? Building a frontend around the API?

>> Read Access permission to read only private information

This is exactly what we don't want. If the apikey was exposed, we don't want snooping users to be able to view other submissions. Unless I've misunderstood what 'read access' means, what we really want is 'write access' only.

My questions are:

1. Is it possible to read people's submissions with just the api key? The documentation seems to imply that this is possible.

2. Will setting the permission to "read only" still allow users to post submissions?

3. Are we better off building this service in the backend and not worry about exposing the api key?

Best,

Tim
Welvin Support Team Lead

Replied on November 6, 2015 at 12:55 PM

Hi Tim,

I think that answer is pertaining to your last question. But I need to confirm this to Mert so just to be sure. And our API team should be able to address your additional questions.

Thank you and my apologies.
timrowell

Replied on November 9, 2015 at 4:56 AM

Hi Welvin,

Thank you for clarifying. Will the API team answer my questions in this thread? I've asked the original question in the developers' forum (http://developers.jotform.com/forum/post/563b99e6b71a89072300004e) but it has still been unanswered.

Just to let you know the contact button in the API docs (http://api.jotform.com/docs/#contact) doesn't seem to point to anything.

Best,

Tim
Charlie

Replied on November 9, 2015 at 9:28 AM

Hi,

The API key is not usually shared and exposed, I believe. As displayed in the documentation, you can easily view submission data by just knowing the API key and a submission ID. It would be best to either store it on a database, call it on your backend code (PHP is not exposed on the frontend so it is more secure), and then tie that in a session variable.

You can try to contact the API team in this address api@jotform.com.
timrowell

Replied on November 9, 2015 at 9:40 AM

Hi Charlie,

We guessed this would be the case, however I've just tried retrieving a specific submission by providing the submission ID and I get a 401. The API key is set to full access. Any ideas?

Cheers,

Tim
mert JotForm UI Developer

Replied on November 9, 2015 at 9:48 AM

Hi there,

In addition to what Charlie said, there is no option like "Write Access Only" on JotForm's API. You can change this option as "Read Only" or "Full Access".

To change the API setting,

Moreover, if you set your API permission as "read only", it is not possible to add a new record. So, Charlie's idea is the better one, if you have security concerns. However, our API key doesn't expose normally.

If you need any other information, please let us know.

Thanks.