Using the woocommerce api, I return the product data, such as: value, color, weight, name, etc., like this: http://example.com/wc-json/api/products
The problem with this is that with the same api key, the hacker could query the orders and find out the customer’s name, payment method, age, city and etc., using this: http://example.com/wc-json/api/orders
You need to think carefully about what you are going to do. You don’t want to register users, but you want all users to be able to write directly to the shared table? That is, each time they must re-enter their address, phone number, and other contacts. Right?
Well, the user will want to view all their orders. How are you going to do this if they don’t register in the database?
To access Woo, a Wordpress account is used, which is used to generate an access key for the buyer. Is this the way you work?
Please note that access to AirTable is also stored in the app, so it is safe enough to enter the Api Key to access the resource in the text block in the private project Thunkable X and close this request.
Sorry, I don’t think it’s clear what I need. I have an e-commerce on Woocommerce. There, my customers buy watches, shirts and so on. I am developing an app where they can do the same thing, however, without having to log in. As well? I use the Web API to just take product data and display it in the app. When finalizing the order, I open a Web Viewer and redirect them to the checkout, so the registration part is all done via the web. The app only reads the web data to display in the app, it doesn’t register anything. However, the same key that reads product information can be used to read order information, such as customer name, address, and more. The only thing I need is to ensure that the Key is not discovered, because although the hacker cannot change anything, since the key is read-only, he could read the order information. Understood?
I understood that. I’m just interested in what you expect to hear and how do you want to assess the degree of reliability? Let’s say I’m a developer and I tell you that it’s safe to specify a confidential string in a text field. Will you take my word for it? What guarantees do you expect to hear? If Thunkable X were a banking platform, then it could be argued that it pays special attention to privacy issues.
One of the main security rules says that data must be encrypted. Can you do this in Thunkable X using blocks? No.
How can I make sure that a hacker can’t get the key from the app? You need to hire a strong data protection specialist (who knows hacking techniques) and ask them to hack the app.
If you are seriously concerned about security issues, then I can only recommend one thing: either you need to deal with this issue yourself, or hire a specialist in this field. I think that the Thunkable X forum is a bit of a wrong place, but you can wait for a response from the developers of this platform.
I am not criticizing the Thunkable X platform. I did not do that at any time. I’m sorry if that’s what it looked like. I am also not saying that it is not safe. I just wanted to know what is the best practice for handling API keys, knowing the limitations that block programming has.