API
Core Concepts
API Security
7 min
we take security seriously and expect developers using our api to do the same we recommend the following best practices when developing an application that retrieves and displays the data provided by the throughline api application secrets two pieces of information are necessary to call the throughline api the client id and the client secret the client id is a public identifier of your application the client secret is confidential and should only be used to authenticate your application both the client id and client secret are needed to confirm your application’s identity it is critical that you do not expose your client secret follow these suggestions to keep your client secret safe store your application's client id and client secret securely never hardcode these credentials into your application's code instead, store them in a secure environment, such as an encrypted configuration file or environment variable when creating a native mobile application, do not store it locally on a mobile device do not expose files such as javascript or html files in client side code do not store it in files on a web server that can be viewed externally for example, configuration files, include files, etc do not store it in log files or error messages consider caching access tokens to avoid making unnecessary authorization requests to the authorization server this can improve performance and minimize the risk of interception remember that when exchanging an oauth 2 0 authorization code for an access token, client secret is passed as part of the request make sure you do not expose this request publicly access tokens whilst the throughline api access tokens are short lived, you should still take steps to keep them safe do not store them in insecure or easily accessible locations such as client side files do not store access tokens in code files that can be decompiled, such as ios, or android code files always pass access tokens over a secure (https) connection refresh access tokens before they expire to ensure continuous access to the protected api use https for all api calls always use https when making api calls to the authorization endpoints and the protected api this will ensure that your communication is encrypted and protected from eavesdropping or man in the middle attacks handle errors gracefully implement error handling mechanisms to gracefully handle any errors that occur during the authorization process or api calls this includes catching and logging errors, providing meaningful error messages to users, and retrying failed requests when appropriate u se a third party oauth library or s dk consider using a third party oauth library or sdk to simplify the implementation of oauth authentication in your application and reduce the risk of errors these libraries can handle many of the low level details, such as encoding credentials, making api calls, and parsing responses monitor and audit api usage implement mechanisms to monitor and audit api usage this can help you detect unauthorized access, identify potential security breaches, and optimize resource utilization report breaches and regenerate secrets should you detect a breach of your application secrets take the following steps to ensure both your application and the throughline api are not compromised regenerate your client application secrets by destroying the compromised application in the developer dashboard create a new client application and update your integration with the new application secrets report the breach and monitor the behavior to our engineering team at engineering\@throughlinecare com