0

Which keys can be revealed? I'm developing open source application using trello api in python. I have the application key which I generated from appKey/generate which I always require for initiating client. If I hard code this application key in my source code then everybody will be able to use my account. If I ask user always to enter his application key then what is the need for application token?

meteors
  • 1,747
  • 3
  • 20
  • 40

1 Answers1

0

Every user of your open source app needs to provide its own developer key. I suggest to use a config file that he must fill before using the app.

From that page, only the first key is public, https://trello.com/app-key

But, the second one, "secret key", is secret... I don't know what is is used for for now, we only use the public key + user token.

Your data is in security even if you give your developer key, as it key doesn't allow that user to see your data, he got its own token from oauth, and that token tells that he can only interact with his own data.

We are developing a javascript app, so everyone can see our dev key in the chrome debugger, but the token is the security.

Even if your user is using your personal api_key, he is not "logged" into your trello account so he can't see anything. The "token" is the key used for security and access.

But, because your app is not hosted at your servers, but is open source and can be used by anyone, I suggest to not give your key in the app.

foxontherock
  • 1,776
  • 1
  • 13
  • 16
  • I checked this js code here http://jsfiddle.net/nNesx/ on doc page which reads cards assigned to you. I think it just takes my auth token and not developer api key. How does it work? – meteors Apr 28 '15 at 09:17
  • In your jsfiddle demo, I see the developer key in the querystring of the client.js. With that key, without token, only the owner of the can see its data, that key can't be used to view or edit someone else data. Maybe, when you use the .authorize method, the token is set... but if you get back the day later, you need to re-authorize, or use settoken (with your previous token) to get back the same user rights. – foxontherock Apr 30 '15 at 17:47