Client-side Integrations with Custom API Keys

In this article, we’ll discuss using our new Custom API Keys feature, a convenient way to use license keys securely without the need for back-end coding.

When clients and prospects sign up with any of our API data validation services, they get a license key that allows them to validate data using our APIs. Those license keys allow them to start validating records from wherever they have an internet connection via web applications, third-party platforms like CRMs, marketing software, desktop applications (even many Office 360 products) and mobile apps.

Over the years we have built out sample integrations and plugins and will continue to do so in the future as technology evolves. With technology evolving, so do our license keys. Traditionally, our license keys have always needed to be secured in the backend of an application, as to not expose them to the outside world where they can be stolen from a web page. That has worked fine, and we have securely validated many billions of contact data items that way. But, as more applications become web-based, the need to implement license keys that can be exposed to the outside world without the worry of theft and abuse has brought us to our new addition, which we call Custom API Keys.

So why can’t the traditional keys be secure on a client-side implementation?

That can be accomplished, in a way, but it takes an extra back-end coding layer to secure the traditional license key. Meaning, you can do all that fun and fancy web design with JavaScript, but you ultimately need to tie that into a back-end process to append a license key so it’s not left exposed – a proxy or middleman process to hide the key, as demonstrated in this diagram.

Depending on the flow of your web application and business requirements, it is often acceptable and even desired for the connection to our APIs to flow through a back-end process. The addition of Custom API Keys gives our clients flexibility and allows us to open up additional options for coming up with a solution. The reason for us to add Custom API Keys is that it makes integrations easier, with less code and fewer resources needed to implement our API in a web application.

These items are tightly associated. Without going to a back-end process to append a license key, the process of integrating becomes less complicated and in turn, demands less coding. With that, the coding remains on the client-side with respect to the API call, and a back-end developer is no longer needed for implementation, strictly only front-end code as shown here.

With fewer people involved, integrations become less expensive and faster. Being able to implement the whole API integration on the front-end with JavaScript will allow us to write sample code that can be embedded on a web app with not much more than a single line of code. Removing a dependency as we did with the backend in this situation will also reduce potential latency in updating the web application as well. Certainly, there are still plenty of reasons for a back-end process to do some heavy lifting, like hiding business logic from end-users and logging results, but it is no longer necessary for the purposes of connecting to our validation APIs.

Okay, then the Custom API Keys are less secure than the traditional keys?

Nope, they’re just designed differently. We are locking down the Custom API Keys by the domain which will be configurable, so people can’t just lift them from your web page and use them elsewhere. Securing traditional keys or Custom API Keys is always paramount in any process, they just need to be secured in different ways.

Are Custom API Keys replacing the traditional validation API keys?

No, they will co-exist. When signing up for our data validation APIs, you will receive the traditional API license key and then have the ability to generate additional Custom API Keys. You may want to use one Custom API Key in development and another in your live environment.

What are some Custom API Key scenarios?

You may want unique Custom API Keys for different parts of your web offering or even for different departments. With the ability to attain multiple keys, you’ll now have visibility into how individual processes are performing based on the keys being used, as well as the power to turn the keys on and off. They will be tied to the same traditional key as the overarching key of the validation API being subscribed to.

Organizations will even be able to generate unique Custom API Keys to deliver to their clients and have the ability to track usage and turn those keys off and on.

The addition of Custom API Keys will supply our customers with many implementation options and the flexibility to meet their needs while allowing them to simplify integrations and reduce overhead. We will first be rolling out the Custom API Keys with our new DOTS Global Address Complete service and then begin to move the technology over to our other validation services.