Forem Creators and Builders

Cover image for Accessing APIs
Bob Fornal
Bob Fornal

Posted on

Accessing APIs

I have a script built into a Google Sheet that accesses some of the APIs. I'm not sure where I found the original article describing how to do this, but it uses the APIs getUserArticles endpoint and builds a spreadsheet with some awesome data.

I was recently preparing an article about this tool.

I was looking at converting this script and using it within an Angular project and found that CORS is not allowed when using Authorization (API Key generated via Settings).

I now know that the script I started with (in Google Sheet) is bypassing the CORS issue completely when run on Google Sheets and I suspect I can find ways to bypass this local blocking, as well.

Given that I shouldn't be able to use APIs that need Authentication with an API key (they are CORS blocked), why then do I need the api-key that can be generated at

It almost feels as if there's two different conversations going on within your organization: Functionality versus Security.

Discussion (3)

djuber profile image
Daniel Uber • Edited on

Hi Bob,

If you're only going to use the API via a browser hosted script, you can't use the api-key header in requests, and won't need an api key at all.

The api-key header works if you're doing server-side (or local) scripting, rather than accessing the api from a browser. Certainly, this does limit some functionality exposed by the api when you try to use it from a browser.

I would say yes, there are separate considerations regarding functionality and security, and when they conflict, security carries more weight. My understanding would be that you don't want to embed your api key in a script on a published page. If the browser is making the requests, and has to send the header, anyone viewing the page has plaintext access to the api key, and all the permissions it grants.

I'm not sure what Google Sheets is doing to disable this protection, but there are methods available if you search them out, you might want to think about what that means and whether that's dangerous or not.

Trying the /api/articles/me endpoint you linked to with an XMLHttpRequest, I definitely did get a request blocked message from the browser, pointing to the api-key not being a permitted header. This is intentional, the configuration is here and sets the allowed header list empty.

The same request made with curl from my desk completed successfully (as the api-key header is not stripped from the request in that case, and a json articles list is returned as I was able to authenticate successfully).

bobfornal profile image
Bob Fornal Author

I don't disagree with anything said here.

At the same time, what I guess I was pointing out somewhat poorly is there seems to be a gap in the documentation; what you said here about the security should be included with the API documentation to clarify the intent of the design.

Thanks! Bob.

djuber profile image
Daniel Uber

Hi Bob,

That makes sense - a note at about CORS protections limiting the ability to use the authenticated APIs in a browser seems like it would avoid wasted effort.

I do see some note at the beginning of the api docs

All endpoints that don't require authentication are CORS enabled.

I'll open a PR to add a note in the api key section.