API Security
We take security seriously and expect developers using our API to do the same.
We recommend the following best practices when developing an application that retrieves and displays the data provided by the ThroughLine API.
Two pieces of information are necessary to call the ThroughLine API: the Client ID and the Client Secret.
- The Client ID is a public identifier of your application.
- The Client Secret is confidential and should only be used to authenticate your application.
Both the Client ID and Client Secret are needed to confirm your application’s identity. It is critical that you do not expose your Client Secret.
Follow these suggestions to keep your Client Secret safe:
- Store your application's client ID and client secret securely.
- Never hardcode these credentials into your application's code. Instead, store them in a secure environment, such as an encrypted configuration file or environment variable.
- When creating a native mobile application, do not store it locally on a mobile device.
- Do not expose files such as JavaScript or HTML files in client-side code.
- Do not store it in files on a web server that can be viewed externally. For example, configuration files, include files, etc.
- Do not store it in log files or error messages.
- Consider caching access tokens to avoid making unnecessary authorization requests to the authorization server. This can improve performance and minimize the risk of interception.
Remember that when exchanging an OAuth 2.0 authorization code for an access token, client_secret is passed as part of the request. Make sure you do not expose this request publicly.
Whilst the ThroughLine API access tokens are short-lived, you should still take steps to keep them safe:
- Do not store them in insecure or easily accessible locations such as client-side files.
- Do not store access tokens in code files that can be decompiled, such as iOS, or Android code files.
- Always pass access tokens over a secure (HTTPS) connection.
- Refresh access tokens before they expire to ensure continuous access to the protected API.
Always use HTTPS when making API calls to the authorization endpoints and the protected API. This will ensure that your communication is encrypted and protected from eavesdropping or man-in-the-middle attacks.
Implement error handling mechanisms to gracefully handle any errors that occur during the authorization process or API calls. This includes catching and logging errors, providing meaningful error messages to users, and retrying failed requests when appropriate.
Consider using a third-party OAuth library or SDK to simplify the implementation of OAuth authentication in your application and reduce the risk of errors. These libraries can handle many of the low-level details, such as encoding credentials, making API calls, and parsing responses.
Implement mechanisms to monitor and audit API usage. This can help you detect unauthorized access, identify potential security breaches, and optimize resource utilization.
Should you detect a breach of your application secrets take the following steps to ensure both your application and the ThroughLine API are not compromised.
- Regenerate your client application secrets by destroying the compromised application in the Developer Dashboard.
- Create a new client application and update your integration with the new application secrets.