Hi, bro. I want to get data from any API, ie: input is website url, output is information table. My API are investing.com, finance.yahoo… Pls, help me! Thanks
Watch my video and you should be able to figure it out. If you need help, start a new topic and provide details about what you’ve tried including screenshots (see the first post for a list of information you need to include).
Hi Tatiang, Thank you for the WebAPI intro. I hope you can elaborate on security.
I watched all of @darren videos on this topic and the 10 or so videos by @simran that popped up here: Any tips for working with the WebAPI component? - #11 by domhnallohanlon
In one video (the Yelp one) the key is pasted in the WebAPI form. It’s not clear if that form is encrypted in the compiled app.
I am trying to understand if Thunkable supports methods to hide API keys and other portions of the URL string.
You briefly touch on this in the video (around the intro to JSON), but didn’t finish the thought.
I want to make an app that does not require login, nor firebase. I am thinking of using a stored variable.
The user would enter the key the first time the app runs.
From what I have read, the stored variable is local to the device and does not travel with the shared app.
In other words, I don’t want someone decompiling my app and find the key in the code.
I tried decompiling my own app, but I cannot find my code in the myriad folders of the APK file.
I am still learning about security and started reading about Bearer and OAuth stuff… very convoluted.
It seems that stored variables would avoid me getting into complicated topics on Bearer, OAuth… my head hurts.
Thanks,
Pescatore
Dear @pescatore
Thunkable allows the use of Bearer authorization in the header. Bearer keys are actually encrypted versions of the actual name and password which will provide a level of security if all what you are worried about is seeing the key in the decompiled version.
Thank you for the response, @muneer . Yes, I am trying to eliminate any easily discoverable key or token in my code.
Do you know of an example/video for adding the Bearer header? I guess I would add additional text blocks to the WebAPI object, where I build up the URL.
The Bearer Authorization goes in the Headers section
either in the Web API
component settings or in the Headers coding block
.
It is not usual to be part of the URL.
I’m curious exactly what you’re trying to do. Are you trying to hide the keys/tokens from other developers on these forums who might view your project? Or from end users who download your app and use it as intended? Or from people who might try to reverse engineer your app?
Hello Tatiang, I am trying to add as much protection from hackers without making the app too complex for my skill level.
I am new to Thunkable and security in general, so I may be asking the wrong questions. I have a simple app in Thunkable classic that pings a URL that contains an access token. I was able to easily find the token in the APK file, after decompiling.
I am testing the same app (converted) in Thunkable X and I haven’t been able to find the source code. There are so many folders in the APK file that I gave up looking.
So, I am trying to understand if Thunkable X protects this data in the source code.
I am also looking into how Bearer Authorization works, but first I have to figure out what the API is expecting (the one I ping, not Thunkable).
Thanks for asking!
Pescatore
@tatiang …i watched your video on API and trying to work on it to retrieve a currency expansion for a 3-letter symbol of the currency. When i tried it on chrome to retrieve the json file using the api key, am successful, but when am trying to do the same in thunkable, it throws an error…am i doing something wrong here. Here are the screenshots
Chrome :
Blocks in thunkable:
Error message from response:
Can you kindly help.
Thanks in advance
I’m happy to help but based on that error, I don’t think the problem is with how you are attempting to parse the JSON response. It sounds like your URL is incorrect. Are you able to use that same URL in a browser and get the JSON response you posted?
Do you have a link to the documentation for the API? It’s likely that it requires a form of authentication that you haven’t provided such as a particular header.
Edit: found it here: API Documentation - Fixer
Try using https:// instead of http:// in the URL. There are no examples in the documentation of using http://
yes, used the same URL in both the places, on the browser it works but not on thunkable. tried using both http and https, it throws the same error.
This is the one i took from the documentation
If it’s not working using https:// in Thunkable then I’m not sure. I might be able to figure it out if I could test the API blocks myself.
Do you have an API key you can share with me privately?
Edit: I was able to get a key and test the URL in the browser. It works with http:// but not https://. With a secure https:// connection, it returns the error you’re getting.
I feel like there’s an issue where Thunkable sends all API requests as https://. I can’t quite remember and I didn’t find any topics where that’s explained. Maybe someone else can chime in here.
Edit #2: Found one reference to this:
Then again, this seems to indicate this issue has been addressed:
sorry for the late response…is there no way i could fix it then?
let me try it on the phone to see if it behaves well there
I believe you either need Thunkable Staff to fix the issue where all API requests are sent as https:// or you need to purchase a paid license for the Fixer API which will allow you to send requests via https://
it worked perfectly well on the phone :-). I will check with thunkable to see if they can help fix it. But, thanks a ton for resolving this.
You’re right, it does work on a mobile device using http://
i did try their one month subscription to try conversion from one currency to another and it worked perfectly well on thunkable without trying it on the phone. So, not sure whether the problem is with thunkable or fixer is limiting usage on its free one.
Same for my case. Strangely “http://” API URLs worked on the mobile just as expected. The problem I have is that I am using Thunkable to build a responsive web-app which is to be used with user’s browser. All the http:// requests was converted to https:// requests.
I have been trying to serve https:// on my server end (a simple apache-flask API) for the past week, but it is more complicated than I thought with all the SSL certificates, domain names stuff etc… haven’t managed to get it to work.
It is frustrating because I used thunkable for the ease of building webapps. Now I may have to learn another platform to build webapps since the APIs I used is the main feature nd works only with http://
Hope the thunkable team is looking into this or to recommend a work around. Thunkable have been a great platform for mobiles app though.
Please consider posting a bug report. Thunkable Staff can’t necessarily review every comment of every forum topic but they can keep an eye on bug reports that are submitted via GitHub. Include a link to this topic.
You may prefer to comment on this existing bug report: