Hey folks, this is baffling me - how do I create a new app/get API credentials?
When I go to /pref/apps I just get a "You are already logged in and will be redirected"
But when I get redirected I end up on the same screen.
Any insights? :-)
Thanks!
Videos
i know about the dashboard but couldnt find them anywhere
You need to create an app first, go here - https://www.reddit.com/prefs/apps
Referencing old thread - https://www.reddit.com/r/redditdev/comments/251v3z/how_to_get_an_api_key/
You can find the dashboard by clicking on the "hamburger" icon in the top left-hand corner of the screen.
Hi,
What are the best practices for handling third-party API credentials in full stack apps?
Example: let's say we're building a SaaS app that uses OpenAI API. The user is expected to provide their own api key (and potentially the base url if they want to use an openai compatible api).
The backend will need these credentials to make calls to the third party api so we will have to send them from the frontend to the backend. We also don't want the user to enter these credentials every time they run an action, so we will have to store them in the database.
What are best practices for handling these credentials? We can't just hash them and store the hash as we need to get the actual key to send it to the 3rd party api. Should we encrypt the key in the backend before storing them in the database? If we do this, where do we store the encryption key? Should it be an environment variable that is provided during runtime (e.g. stored in a password manager in the cloud provider)? But this key needs to be stored permanently, which means we cannot rotate it easily, right?
Also, what about the frontend code? Assuming we're using react, are there things to keep in mind when handling the credentials? I know we should treat the key as a password (it shows up as ******* in the form).
One last thing, is the base url lf the third party considered a sensitive value? Should it also be encrypted or can we just store it as plain text?
Thanks in advance!
Please change ALL of the following:
API key
Redirect URL
User-Agent (in Infinity)
Please don't just change the API key!!!!!!!!! And please use another app name without infinity in it 🥺.
I found many users had made some tutorials about how to use your own API key, like this post, but none of them mentioned the other two things. If you don't change all of them, reddit still knows you are using Infinity, but with your own key.
You can see more info here.
Can someone please walk me through it? Thanks
After so many researches around the internet, I'm still unclear how does one actually store the API key securely.
Everyone just talks about using environment variables which I already know. BUT, that is not going to completely hide the key. Sure, it helps exclude it from the git repo but a build is still going to have the key exposed when the source is inspected through.
My question is, how do big websites secure their keys that even if the key is to be inspected from the source, their API access is still restricted?
Note that I'm not talking about the authenticated API access but let's say, an API to display public data like newsfeed etc... the authenticated API access is already self explanatory.
I tried to check around how Spotify does it, the client key is used to fetch the actual secret from Spotify's server that is used to then access the actual API endpoint. But even so, if the client key is known by someone, wouldn't they be able to access the endpoint by sending a request to fetch the actual secret? Can someone clear this up for me in an easy-to-underarand way?
I'm a self taught guy and I haven't actually worked with professionals on a real project to get some ideas from so it's kinda mind boggling for me right now.
I am trying to set up a basic reddit application, however the docs are rather a bit complex to understand, and I cannot find a tutorial, I have created the application in the developer thing, and have a client id and secret, how can I run the OAuth requests to get top posts from a subreddit, etc.