#[SOLVED] Cloud - USERS REST API - Appwrite-Key - Is it ok to use it from the client?

Trying to get the User's info via rest api and by the userId from session.
I'm getting ERR_ABORTED 401 (Unauthorized)

From the docs I read I need to send via a GET request those headers:
GET /v1/users/{userId} HTTP/1.1
Content-Type: application/json
X-Appwrite-Response-Format: 1.4.0
X-Appwrite-Project: 5df5acd0d48c2
X-Appwrite-Key: 919c2d18fb5d4...a2ae413da83346ad2

I finally succeeded
My question is regarding the Appwrite-Key - in the docs it says:

API key used for server authentication. Your API key is a secret, do not use it in client applications.

I'm using it from the client to make the api call..so this is a security risk?
Thanks

https://appwrite.io/docs/apis/rest

Cloud - USERS REST API - Appwrite-Key - Is it ok to use it from the client?

@slender vapor Hi, can you please help ?

Yes, it is a security risk

Please don't ping people as it can be disruptive

Ok

Even if the key is in .env file?

Anything you put in a client side app should be considered freely available for anyone to see

So, what should I do in this case?

If you need to do anything sensitive, it should be done server side and have security controls in place to protect from unrestricted access.

That said, there might be some other ways to handle what it is you're doing. What's your use case? What problem are you trying to solve?

I will answer in a few minutes, thank you for your patience

I'm making an app that will use Appwrite's all APIs. Auth, Database and storage. Maybe, functions too.
I don't want to code and eventually find that I made security risks all over.
So, if you think I should make some kind of proxy server (Nodejs) that will have all the API keys stored there, and the client will make requests to that proxy server, I will do it.

This doesn't clarify the use case and what functionality you're trying to provide

right now, I'm getting the user's data - email, and if he is a verified user - as part of email reset and email verification
Eventually, I need to make a full authentication mechanism
Do you want to know what the app is doing?

Sounds like the user case is a user needs to log in , see their data, verify their email.

Why can't you do this client side?

Using the account API?

As far as I understand, the Account Api gives me session data, and session data does not have info about if the user is verified

If you get session, it has session data. If you get account, it has account data

And account data includes data about OAuth users too? like google?

Sessions have oauth data. The only thing oauth in Appwrite is that the session says it's oauth and has the oauth providers email. There's also user identities.

Account has info about the user. Please refer to the docs: https://appwrite.io/docs/references/cloud/client-web/account#get

Ok, no problem I will look into it asap. But in general perspective, when building an app - should I use some kind of a proxy server like I mentioned before?

And you are of course right - I looked at Account - It has all the info....

It depends on your use case and requirements. If you want to build a backend or hide away Appwrite, you can put something between your client app and Appwrite

Thank you very much @shut meadow !
My final question - If I will make a proxy server (NodeJS) - How can I validate api calls from the client ? besides checking cors ?
I know that in FB, you can validate api calls with their admin SDK.
Is there some kind of a similar mechanism with Appwrite?

Easiest way is to generate a JWT token client side and include that in requests to your back end server. Your backend server would load the token and call account.get() to validate the token and fetch the user

https://appwrite.io/docs/products/auth/jwt

That's great. Thank you !