Use API without exposing secret key

I would like to use the Squidex API in a JavaScript powered web app (e.g. with a framework like Vue or React or similar).

  1. Is it possible to call the API without revealing the secret? Or do I need to use some tunnel in that case?

  2. Is it possible to restrict API access (e.g. from a specific domain only)?


I’ve written my own gateway app which provides tokens for the javascript, but these tokens only provide read-only access. Afaik there is no built-in functionality in squidex atm which wouldn’t require you to expose the secret. Regarding question 2.: What you are asking for sounds like an API gateway, so I would recommend looking at these:

  • Kong
  • Apiman (im curently using squdex with this, because it allows me to have custom permissions/authorization)
1 Like

Thx for the lightning quick reply! Awesome, that helps me.

@pushrbx Do you want to write an article / page for the documentation about apiman?

Sure. Just drop me a PM with your expectations.