Jump to content
  • 0

Using User Cookies For REST API Calls



Hello Caspio Community! 

Let me explaining my scenario firstly please.

Currently I'm stuck on how to authenticate REST API calls in a secure manner. I have a new app stood up and ready to launch (this app is/well always be locked behind Caspio Login) . However, before I launch  this app I was wondering if I could use "document.cookie()" user token to make API calls instead of the bearer token that I have been using for development.   If I could use a user token instead of an API key I would feel much more secure. 


Thank you for taking time out of your day to read this! I look forward to reading your replies!

Link to comment
Share on other sites

1 answer to this question

Recommended Posts

  • 0

Hi @fundy,
Temporary API tokens generated on login would be pretty cool indeed!

One approach that successfully allows one to get an API access token while keeping API keys secure is to use an AWS Lamba function.


Using a lambda means API keys are used in a server-side function, so the keys stay out of the browser, where they're vulnerable. Call this function with an endpoint exposed using an AWS API Gateway (for example). Successful requests respond with temporary access tokens (and errant calls return a descriptive error message).

Lambda Function:

var XMLHttpRequest = require('xmlhttprequest-ssl').XMLHttpRequest; // Node JS module

module.exports.caspioApiAuth = (event, context, callback) => {
  const api_url = 'https://acctid.caspio.com/oauth/token';
  const api_secret = '456'; // client_secret
  var api_id = event.queryStringParameters.api; // get client_id by passing it to the endpoint with a query string param: ?api=[client_id]

  getAccessToken(api_url, api_id, api_secret);

  function getAccessToken(url, cid, cs) {
    var authXhr = new XMLHttpRequest(); // declare an XHR object
    var api_token = ''; // declare a string varible for the token
    var body = 'grant_type=client_credentials&client_id=' + cid + '&client_secret=' + cs; // body string
    authXhr.open('POST', url); // set the XHR open attribute
    authXhr.send(body); // send the body

    // request made, response coming

    authXhr.onreadystatechange = function () { // on response, wait for the response to be ready
     if (authXhr.readyState === 4) // state 4 is the results
      if(authXhr.status === 200) {  // 200 is success
        var response = JSON.parse(authXhr.responseText); // parse the response into an object
        api_token = response.access_token; // set the token
        respond(authXhr.status, api_token); // format and return the token response
      } else { // if it's not a success, explain why
        respond(authXhr.status, '! token error \n' + authXhr.status + ' \n' + authXhr.responseText.split('<title>')[1].split('</title>')[0]);
     } // no else on readyStateChange because 4 is the only state that matters


  function respond(st, txt) {
    const response = {
      statusCode: st, // status codes tell the browser what to do with the response.
      headers: { 'Access-Control-Allow-Origin': '[approved origin or *]', }, // Required for CORS support to work
      body: txt, // the token or error message
    callback(null, response); // send a response

(this simplified version has not been tested, but was originally duplicated from a live Lamba)

Edited by LWSChad
Improved error handling
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...