Hey folks, this is baffling me - how do I create a new app/get API credentials?
When I go to /pref/apps I just get a "You are already logged in and will be redirected"
But when I get redirected I end up on the same screen.
Any insights? :-)
Thanks!
Videos
Hello all Ive been looking around the docs and cannot find how to get an api key. thanks
You'll need to clarify. We don't have "API keys." If you're writing your reddit client fresh, we recommend using OAuth and that comes with client IDs/secrets.
Remember the human. When you communicate online, all you see is a computer screen. When talking to someone you might want to ask yourself "Would I say it to the person's face?" or "Would I get jumped if I said this to a buddy?"
Adhere to the same standards of behavior online that you follow in real life.
Read the rules of a community before making a submission. These are usually found in the sidebar.
Read the reddiquette. Read it again every once in a while. Reddiquette is a living, breathing, working document which may change over time as the community faces new problems in its growth.
Moderate based on quality, not opinion. Well written and interesting content can be worthwhile, even if you disagree with it.
Use proper grammar and spelling. Intelligent discourse requires a standard system of communication. Be open for gentle corrections.
Keep your submission titles factual and opinion free. If it is an outrageous topic, share your crazy outrage in the comment section.
Look for the original source of content, and submit that. Often, a blog will reference another blog, which references another, and so on with everyone displaying ads along the way. Dig through those references and submit a link to the creator, who actually deserves the traffic.
Post to the most appropriate community possible. Also, consider cross posting if the contents fits more communities.
Vote. If you think something contributes to conversation, upvote it. If you think it does not contribute to the subreddit it is posted in or is off-topic in a particular community, downvote it.
Search for duplicates before posting. Redundancy posts add nothing new to previous conversations. That said, sometimes bad timing, a bad title, or just plain bad luck can cause an interesting story to fail to get noticed. Feel free to post something again if you feel that the earlier posting didn't get the attention it deserved and you think you can do better.
Link to the direct version of a media file when the page it was found on doesn't add any value.
Link to canonical and persistent URLs where possible, not temporary pages that might disappear. In particular, use the "permalink" for blog entries, not the blog's index page.
Consider posting constructive criticism / an explanation when you downvote something, and do so carefully and tactfully.
Report any spam you find.
Browse the new submissions page and vote on it. Regard it, perhaps, as a public service.
Actually read an article before you vote on it (as opposed to just basing your vote on the title).
Feel free to post links to your own content (within reason). But if that's all you ever post, or it always seems to get voted down, take a good hard look in the mirror — you just might be a spammer. A widely used rule of thumb is the 9:1 ratio, i.e. only 1 out of every 10 of your submissions should be your own content.
Posts containing explicit material such as nudity, horrible injury etc, add NSFW (Not Safe For Work) for nudity, and tag. However, if something IS safe for work, but has a risqué title, tag as SFW (Safe for Work). Additionally, use your best judgement when adding these tags, in order for everything to go swimmingly.
State your reason for any editing of posts. Edited submissions are marked by an asterisk (*) at the end of the timestamp after three minutes. For example; a simple "Edit: spelling" will help explain. This avoids confusion when a post is edited after a conversation breaks off from it. If you have another thing to add to your original comment, say "Edit: And I also think..." or something along those lines.
Use an "Innocent until proven guilty" mentality. Unless there is obvious proof that a submission is fake, or is whoring karma, please don't say it is. It ruins the experience for not only you, but the millions of people that browse reddit every day.
Read over your submission for mistakes before submitting, especially the title of the submission. Comments and the content of self posts can be edited after being submitted, however, the title of a post can't be. Make sure the facts you provide are accurate to avoid any confusion down the line.
Please change ALL of the following:
API key
Redirect URL
User-Agent (in Infinity)
Please don't just change the API key!!!!!!!!! And please use another app name without infinity in it 🥺.
I found many users had made some tutorials about how to use your own API key, like this post, but none of them mentioned the other two things. If you don't change all of them, reddit still knows you are using Infinity, but with your own key.
You can see more info here.
Like what are api keys and how to configure them for my api
Hello, everyone.
I want to use the Reddit API just to experiment a bit with its data. I want to build an app for customer discovery and market research, and right now I haven't written a single line of code. I only want to see what I can do with the API and then I might build something.
However, the registration form is asking me for OAuth Client ID, an About URL and Redirect URI. How am I supposed to have these when I haven't even started building anything yet? I'm a senior year undergrad CS student and at this point I'm only looking to experiment a bit.
Can people please guide me how I can register for the API?
If this is not the right place to ask this question, please, let me know where I can post it.
Thanks.
Can someone please walk me through it? Thanks
Context: I am preparing for behavioural rounds and trying to recall the codebase. Trying to come up with a conflict
I need your help to gain clarity regarding API keys and its storage.
The frontend of the codebase used the hardcoded static API key (the team lead would change it every few weeks) in the request-header. Which was then compared in the backend (using === in javascript). Only if the key matched, the request would be processed.
From my understanding, it should be a private API key (am I right?). The API key on the frontend was hard-coded and stored in a variable (big LMAO) let alone .env file.
What is the correct/acceptable way to store the key. I know that anything that ends up on the frontend is not a secret anymore.
I know many of you'd say "store the key on the backend" but then again I have a follow-up question - How would frontend get the key in the first place if it doesnt have access to the backend? Kinda like a deadlock situation here for me.
I know I sound stupid :(
[EDIT] I'm concerned about generating my own API keys for authenticating users in my own project, not using an API if another service.
Hello there! Recently I've started reading on REST API and how to implement one, and currently I'm looking at the use of API keys for authentication. I'm confused on how the URL path should be constructed for different users, and whether the API key should be placed in the URL or within the HTTP header.
From my understanding, API keys are like your email/password when logging into a website, but they are usually encrypted in the database and used for verifying if a certain request like GET/POST can be called. From the guides I've read online, these API keys are stored as parameters in the URL, for example: http:/localhost:3000/users/?api_key=some_long_api_key. But with this approach, what's stopping someone from copying the API key who isn't authorized and using it in making requests?
The other option was to embed the API key in the body of the request, but I'm still wondering if this still suffers from the issue of someone who isn't authorized from making their own request body using it.
The other approach I'm thinking about is where before the request is made, the client retrieves the API key for the currently logged in user and then sends a request using that API key, ensuring that it is hidden from the url, but then again what's to stop someone from viewing the body of the request and getting the API key, unless encryption is required while sending it.
The above approach is what I'm planning to do, although I don't know if it the correct way to do it. For instance, my though process about doing this is as follows:
A new user registers with an email and password,
An API key is generated for the user,
When a request is sent, like posting some form data, the API key is retrieved for the current user and encrypted, then placed in the body of the request,
On the server, it first validates the API key and then continues with the request.
Also, for generating an API key, is generating a UUID good enough? Along with that, is it okay to send the user's email in the body of the request to identify which user is making the request? Is it possible that two user's can have the same API key, which would require sending their details to the server to know which valid user is making the request? I've never worked with API's before so I am curious to how this is solved from a security standpoint...
Thanks in advance and have an amazing day!
As of right now, you cannot retrieve a permanent access token. You have 2 options that come close.
The first is to request a "refresh" token when using the standard OAuth flow. That's what you're doing by sending "duration" as "permanent" in your code. The refresh token can be used to automatically retrieve new 1 hour access tokens without user intervention; the only manual steps are on the initial retrieval of the refresh token.
The second alternative, which applies only when writing a script for personal use, is to use the password grant type. The steps are described in more detail on reddit's "OAuth Quick Start" wiki page, but I'll summarize here:
- Create an OAuth client (under https://www.reddit.com/prefs/apps) with type = "script"
- Make a request to
https://www.reddit.com/api/v1/access_tokenwith POST parametersgrant_type=password&username=<USERNAME>&password=<PASSWORD>. Send your client ID and secret as HTTP basic authentication.<USERNAME>must be registered as a developer of the OAuth 2 client ID you send.
A client_id and client_secret can be generated for a reddit account by going to https://www.reddit.com/prefs/apps and creating an app:
The part I have hidden is my client_id.
Then you can use a client like praw to access reddit e.g. with Python:
import praw
r = praw.Reddit(client_id='insert id here',
client_secret='insert secret here',
user_agent='insert user agent')
page = r.subreddit('aww')
top_posts = page.hot(limit=None)
for post in top_posts:
print(post.title, post.ups)
You could use your current browser's user agent, which can be easily found by google searching "what is my user agent" (among other ways).
I am trying to build an API for a recommendation engine with Python and FastAPI, but I realised that FastAPI doesn't have any built-in function to generate an API key. So far, I've only built frontend apps and relied on cloud services to handle the backend, and obviously getting access to their services using an API. Isn't an API just a random string of characters? How would you securely store it on the server-side?
I understand that an API key is used to identify you to the API but I am more wondering how this works in practice, more specifically how to not expose the key to the enduser.
If I create an application which uses a service that requires an api key, do I as a developer request a key, and every request to the service goes through a proxy server?
If so, what in situations where I do not want to use a proxy server? A Reddit/FB/Twitter/whatever client comes to mind?
Prerequisities
An Apple Developer account you know the email and password to.
Sideloadly; you can download it here for macOS or Windows: https://sideloadly.io
An account on iOSGods (don’t ask me what this website’s purpose is, I genuinely don’t know); you can use a burner email address for this created through Apple’s Hide My Email service. We’ll create the account in a later step (don’t do it ahead of time, it just makes things harder).
An account on appdb. Create one here (use a burner email): https://appdb.to
A profile on your phone. This is sketchy, but I tried this on a burner phone and they haven’t done anything fishy (yet; install at your own risk, obviously). Once your account on appdb is created, hit “link device” at the top right, then install the profile on your phone (AirDrop it to your phone if you opened the link on your Mac like I did).
A Mac or Windows PC. There are guides for how to do this without one, I find them hard to follow.
About 20 minutes and a snack.
Downloading a decrypted Apollo 1.15.11 IPA
First, you’ll need an IPA you can actually use (pre-shutdown). The version that unlocks all Pro features is 1.15.11. You get that from a website called ArmConverter. Search for Apollo here: https://armconverter.com/decryptedappstore/us
Once you’ve found it, don’t download the latest version. Hit the little clock icon with the arrow, then “Login with iOSGods.” Create an account with iOSGods (don’t give them your real anything — you won’t even need this account after you’re done), then give ArmConverter access to your fake iOSGods account. This is why we didn’t create the account earlier, it’s just easier to do it all in one browser tab.
Download 1.15.11. Nothing newer, and nothing older (unless you want to try and see if you get the Ultra features with a newer version). Save it to your downloads folder.
Injecting the neat stuff into the IPA
4. Now that you have an IPA, we need to make it useful. This is where Sideloadly comes in. Download, install, and launch Sideloadly on your computer. 5. Drag that IPA you just downloaded into the IPA slot in Sideloadly. 6. This is important: go to this GitHub link and download the .deb file (three dots, or command + shift + S). Save it to your downloads folder. Make sure this is the file you download (arm64). 7. Hit “Advanced Options” in Sideloadly. Under that, de-select “use automatic bundle ID,” then enter a new bundle ID. This can be anything, I’d go with com.spezcansuckadick.Apollo. Just make sure it’s in that format. 8. Under “signing mode,” choose Export IPA. 9. Important step #2: select “Inject dylibs/frameworks.” Hit the “+dylib/deb/bundle button, then select that .deb file you downloaded from GitHub. 10. Check “Cydia Substrate” and “Sideload Spoofer.” 11. Hit “Start,” then save the new IPA as whatever you’d like and wherever you’d like.
Getting this new, fancy injected IPA onto a real phone (the hard part, thanks Apple)
12. Go to appdb. Hit the arrow next to your linked device (if you don’t have a linked device at the top right, please go back and read the prerequisites where I tell you how to get that). Then, hit “View PLUS status.” You don’t have to pay them money, don’t worry — just enter your Apple ID email and password into the fields to link your dev account to appdb. Sketched out? I was too. Again, do this at your own risk. Don’t be spooked by the Chicago, IL sign-in request — that happened to me too. 13. Once successful, hit that arrow again, then “install custom application.” 14. Upload the IPA we created in step 11 from the last section (damn Reddit formatting grumbles in Markdown and old.reddit struggles). 15. Hit install next to the IPA you just uploaded. Give it a second. Like, a while. It’ll work. Make sure your phone is unlocked and ready and hit “Install” on the prompt asking you to confirm on your phone. If you’re impatient, hit “cancel” on that prompt in appdb (this is stupid, I know) — it’ll take you to the status page. 16. If you’ve done everything right, a fancy version of Apollo is now on your phone. Congratulations, the hard part is done!
Getting your Reddit API key
17. Open your fancy Apollo on your phone. Ensure a green banner shows up saying that everything is working as expected. Not the old one with the halo app icon that plays the sad music (you don’t have to delete that one, though). 18. Go to Apollo Settings > General > Custom API. 19. Hit “Reddit API website.” Sign into your Reddit account, go down, click “are you a developer...”, and fill in the fields:
Name: Whatever
Installed App
Description: Whatever
About URL: Whatever
Redirect URL: apollo://reddit-oauth
Create the app, then copy your key (it’s an alphanumeric string of stuff).
Paste that key in the field in fancy Apollo.
Hit OK, then go to the account tab and sign in with your Reddit credentials. If you did everything right, this should work, and Apollo should work! If not, ensure you injected the .deb file in Sideloadly.
Notable Downsides
This is risky. Do this at your own risk. I’m not responsible if some guy steals all your money because you gave appdb your Apple iD password and 2FA and installed a literal profile on your phone. These are things you shouldn’t do unless you’re confident in the websites you’re using. I cannot emphasize this enough: quit using Reddit if you can. I just did this for fun, I would not recommend you use this if you’re a hardcore Reddit user. Apollo is dead; this app will die the second Reddit inevitably changes the way OAuth works with their API. This is not permanent.
Apollo Ultra features don’t work, no matter what you try. I have no idea how the hell you can get them to work (some have), perhaps a newer version. I really don’t have the time to figure out if that’ll work or not. You can try and let us all know, though!
Imgur uploads don’t seem to work, for some reason. Maybe this is just me, or maybe Christian killed his key. Someone, make another tweak which lets us add our own Imgur keys!
‘Open in Apollo’ doesn’t work automatically because we changed the bundle ID. The browser extension works, though — you’ll just have to tap the button to open the link in Apollo.
The app crashes as soon as you hit the share button anywhere. No idea why this happens, but you can’t copy links using Apollo anymore, which is a big bummer. Once again, Apollo is dead, this is to be expected.
Lock Screen widgets don’t work. I have no idea why this happens either (probably the same reason the share sheet doesn’t work), but it’s also something to note.
This’ll probably work for 2 weeks until spez the pissbaby revokes all API keys like Lord Musk did. Don’t be surprised if that happens. Apollo is dead, we’re just playing with fire here. This is for fun.
Final Words
Because you’re an Apple Developer Account holder, this should work for a year before you have to do the appdb stuff again. Who knows if the world will even be around in a year? Relax.
Because you specified your own bundle ID, when you force quit the app, you’ll still remain logged in. Nice! Some other methods don’t do that.
If you want to run this on your iPad or Apple silicon Mac, it’ll probably work. You probably will just have to install the same profile on those apps and let appdb install it for you. I wouldn’t bother, though — old.reddit works fine enough and I wouldn’t spend that much time on Reddit anymore to warrant a good Reddit experience because spez is a fucking bitch.
Cheers, and enjoy Apollo while this lasts! Thanks for making it, Christian. I will remember Apollo.
Edit: formatting and corrections. Edit 2: clarification regarding Imgur not working. Edit 3: added info regarding Apple silicon Macs and iPads. Edit 4: grammar, clarification, extra information, etc. Edit 5: Open in Apollo clarification. Edit 6: added that sharing doesn’t work. Edit 7: sectioned off downsides to make it clearer that this isn’t a very good idea. Edit 8: clarified that widgets don’t work anymore.
I’ve been grappling with an issue at work that seems partially solved. We’re a team of 60 developers working with multiple third-party services like Polygon, Slack, Zoom, and SendGrid. The challenge is managing API keys securely—ideally, we’d have one API key per developer to maintain tight security. But this leads to significant overhead, especially when developers leave and we need to revoke and reissue keys.
Currently, we’re considering a solution where a service would act as a proxy. We’d register our third-party integrations, and developers would access these services through a single endpoint that manages authentication via our Identity Provider (IDP). Essentially, each developer uses their IDP token to make requests, isolating individual API keys from direct developer access.
I’m really curious to know:
• How are you all managing API keys, especially in larger teams?
• Have you implemented any systems or tools that have streamlined this process?
• Would a proxy-based solution like the one I described be helpful in your setup?
thx.