question

agustipriet7 avatar image
0 Likes"
agustipriet7 asked

Beginner question: Where to store APP-ID?

Hello developers, I am developing a simple web page that uses eBay Finding API to list some of it products. I have a question about the security that involves the exposure of the APP-ID. Currently I am storing it in the Client (Javascript) because I am making eBay API calls from the client, not from the server, I don't know if that is secure because all the sites that I saw makes the API calls in the server. It's ok to "expose" the APP-ID in the client? Is that a security breach that infringes eBay API terms? I couldn't find info. Sorry for the bad english and thanks, Agustín.
javascriptappidapp-id beginner
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

· Write an Answer
helios825 avatar image
1 Like"
helios825 answered
I don't have any conclusive answers for you. This question gets raised here on the forum every year or 2. I don't think eBay has given any real solid advice on this topic, so use your best judgement. I'm not sure about legal ramifications of exposing your AppID in client-side scripting. I'd generally recommend this: If your AppID hasn't been approved (and you plan to NOT get it approved) via a Compatible Application Check (CAC), you're probably OK stepping forward and distributing your AppID in your client app. It'll have max= 5K calls/day total (across all clients), and any possible abuse applied on that AppID will be limited because of that. Hopefully that's good enough security for you and eBay, at that kind of calling volume. If you decide to upgrade your AppID/account to 1.5M calls/day via the CAC, then DON'T distribute your AppID and instead keep it private. (This decision needs to be made in advance, or perhaps you can open a 2nd eBay Dev account for CAC.) If you're getting that much use (or abuse) on your app to warrant needing that higher call rate, you should invest in a more robust solution for authenticating API calls, such as not deploying your AppID and instead retaining it server-side, and have the client app call your own server, which proxies API calls while applying needed caching, throttling, security checks, etc. Or, require your clients to each register for a free eBay Dev account, complete with 5K calls/day AppID key for just them, and they can insert their AppID into the app and free themselves upon being dependent on your AppiD (and free you from the risk of abuse). HTH.
· 1
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hello helios825, I saw some of the questions you mention but it wasn't clear to me about how to continue if I want a CAC, I am going for the second option and mantain the APP-ID secret wrapping the calls into my own API. Thanks for your time,Agustín.
0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.