Appload - API KEY (http request) | reMarkable | Page 1

idle scroll Mar 1, 2025, 5:51 PM

#

Hi, can anyone advise how to handle the api key?
I have already tried several options but none of them work.
I understand that the api key should not be written directly into the code but where should I write it so that the code works?
I tried hiding it via github but without success.
I also tried hiding it in a c++ file but it is also public there.

Many years ago I programmed for BlackBerry 10 and I was faced with the same problem.

Here is my test of appload and http request 🙂
It's great.

celest oriole Mar 1, 2025, 6:02 PM

#

I'm assuming the API is some third-party service? Typically you are not supposed to distribute a key for services like this. There's two main ways around it:

First, you can host your own API and proxy requests to the real API with your key on your servers. Then your client doesn't need a key at all, and your real key stays on your infrastructure.

A more common solution is to just let users assign their own key. In the case of a third-party service, you typically want users to register their own account and get their own key to the service.

If users can't get their own keys, your only real option is to proxy the requests on your server. Even if you obfuscate and encrypt the binary, a sufficiently motivated attacker can recover it. The only solution is to not distribute the keys at all

idle scroll Mar 1, 2025, 6:06 PM

#

The API key is from tmdb.org.

Um, I don't have my own server.

A custom key is not user-friendly for most users. This means that no one would use the app 😦
I would like to offer to everyone when finished.

celest oriole Mar 1, 2025, 6:12 PM

#

The API key is per-user. If you give all of your users the same key, they are effectively using the same TMDB account. All favorites or saved items or whatever would be shared among everyone using your app.

What you want to do here is find a way to let the user log into their TMDB account and generate an API key locally on their device

ivory pebble Mar 1, 2025, 6:13 PM

#

I personally would just recommend having instructions on how to generate it on the desktop, and then maybe a tiny application they can run to send the key over to the device over usb

idle scroll Mar 1, 2025, 6:18 PM

#

OK, thanks guys for the info.

Now in general, @brant I understand your comment and it makes sense.
Are all these requirements handled this way?
When someone develops a mobile app, no one gets an API key (user).
How is this handled?

celest oriole Mar 1, 2025, 6:20 PM

#

OAuth, generally. The user gets either a login prompt or a web browser opens with a magic URL. When the user's credentials are passed to the service, the service sends back an API key that gets saved on the device

idle scroll Mar 1, 2025, 6:24 PM

#

OK, thanks a lot for the direction.
Yeah, that makes sense.
So I don't know if it could be used on reMarkable in appload 🙂 if that's not too much.

celest oriole Mar 1, 2025, 6:26 PM

#

ah, they support oauth actually https://developer.themoviedb.org/v4/docs/authentication-user

The Movie Database (TMDB)

User

Authenticate a TMDB user within your app.

idle scroll Mar 1, 2025, 6:27 PM

#

Thank you.

ivory pebble Mar 1, 2025, 6:28 PM

#

You probably will still want to do the oath flow on the desktop and then send the tokens to the device

idle scroll Mar 2, 2025, 9:18 AM

#

Appload - API KEY (http request)

#Appload - API KEY (http request)