will private api token be exposed?
See original GitHub issueHi all, just noted this particular snippet in the documentation, particularly
please note that the token will bleed in the front-end
prismic: {
// example querying a private Prismic repository
// please note that the token will bleed in the front-end
apiOptions: {
accessToken: 'yourAccessToken'
}
}
Am wondering what does this line means, and am curious if the private API token is exposed, and what is the best way to implement such a configuration in Nuxt, such that the private API token is protected?
Issue Analytics
- State:
- Created 2 years ago
- Comments:5
Top Results From Across the Web
How to avoid exposing your API key in your public front-end ...
Your front-end won't communicate with GoodReads directly, so no API key is exposed.
Read more >Authentication - Postscript API
The most common scenario that may lead you to exposing your private API tokens to the outside world is trying to make a...
Read more >How to Hide API Keys, Credentials and Tokens on Github
This private access token should never be exposed outside of privileged users in your organization. Some additional issues caused by this ...
Read more >How to expose my API in a secure way - Nubentos
This is based on the concept of access token, and defines a series of flows and the use cases in which they are...
Read more >What is an API Key? (And Are They Secure?) - HubSpot Blog
API keys are like passwords — only effective if the owner stores them securely. If a key falls into the wrong hands, it...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hey @gabrielsze, nice question!
Since Prismic has to be able to run on the frontend (for SPA fallback, previewing content, etc.) the token you pass as an option here will eventually bleed in the frontend.
If you’re using a token to protect unreleased content, you can effectively use this option by providing it an access token that only has access to the master ref. People won’t be able to peek at unreleased content this way.
However, if you want to completely protect your content, while hiding the token, I’m afraid it’s not possible now to do so with this module, and Nuxt overall. Once Nuxt Nitro will be released we might be able to use it to proxy calls to Prismic through a serverless function. In the meantime the option available to you is to write an API that acts as a proxy and handles calls to Prismic, injecting your token there. Just want to give you a heads up regarding that as there might be no need to do so with your content since it will most likely be public at the end of the day?
Let us know if anything, cheers!
You’re welcome, closing this now~
Feel free to reopen if any question, also we have a community forum where you can get support for that kind of question 🙂