API Keys
How to manage your API Keys and restrict them to ensure your Woosmap Platform account is secure.
- Overview
- Registering a Woosmap Public API Key
- Registering a Woosmap Private API key
- Why should I restrict my Public API keys?
- What is a Woosmap Public API Key restriction?
- Test your restrictions
- Best practices
Overview
Woosmap Platform APIs and SDKs require you to send an API key with all calls. API keys act as unique identifiers that authenticate the calls you make to Woosmap Platform and ensure they are billed to the correct project and organisation. Whether you’re pushing new or updating existing data, searching it, or doing anything else with Woosmap’s API, you need to provide an API key.
There are two kinds of API Keys: Public and Private.
Public API keys are used to implement Woosmap features on the client-side. They allow you to retrieve your location data and benefit from the read-only capabilities of Woosmap APIs. A unique Public API Key is automatically generated when you add a new project to your organization. Be careful, you must authorize domains or IP addresses to consume API calls to your Public API key.
Private API keys allow you to manage integrations on the server-side and perform creation of new and updates of existing locations. You need to create Private API keys manually.
Registering a Woosmap Public API Key
Assuming you have already created your Woosmap account.
Steps:
-
Visit the Woosmap Console and authenticate yourself.
-
Click on the Projects icon on your left.
-
Either create a new project or select an existing one.
-
The Woosmap Public API Key is automatically created. You can see it from the Security tab of your project under the Project API key(s) section.
This Key is a long string of generated characters preceded by woos-
.
woos-26b90591-6d9e-3b74-ba24-a887ec084e86
Registering a Woosmap Private API key
Assuming you have already created your Woosmap account.
Steps:
-
Visit the Woosmap Console and authenticate yourself.
-
Click on the Projects icon on your left.
-
Either create a new project or select an existing one.
-
From the Security tab, click on the Add a Private Key link.
-
Specify a Name and check the “Give the private key write the permission (creation and edition). Warning: permissions cannot be changed after the private key has been created.
-
Click on the button Add
This Key is a long string of generated characters.
b887ecb5-e0bb-4b7b-a554-54e4a3d96e7a
Why should I restrict my Public API keys?
Restricting your Public API keys helps ensure your Woosmap Platform account is secured. To create a new Woosmap Project, you need to set at least one restriction to the Woosmap Public API Key. You can always change the restrictions later, if you need to.
What is a Woosmap Public API Key restriction?
Woosmap Public API Key restrictions are the authorized domains or IPs from which the call to Woosmap API will be done.
You can add or remove an authorized domain name in the project creation stage and from the Security tab under the Domain(s) section by clicking on the Manage domains link.
Wildcard characters are acceptable for naming similar websites.
For example, *.woosmap.com
accepts all sites ending with .woosmap.com, such as https://developers.woosmap.com.
No need to specify the path of your url page like www.mybrand.com/mypage/
. Just specify the domain name www.mybrand.com
.
Also, do not insert the protocol (http
/https
) in front of your domain name as it is not supported.
Test your restrictions
To ensure your restrictions are working properly, we recommend to test them using cURL. For people who are not familiar with command line tool, you could use a tool like Postman.
At the beginning of your --referer
value, add the protocol http
.
curl --referer 'http://www.mybrand.com' 'https://api.woosmap.com/localities/autocomplete/?input=pari&key=woos-xxxx-xxx'
curl --referer 'http://11.42.187.69' 'https://api.woosmap.com/localities/autocomplete/?input=pari&key=woos-xxxx-xxx'
Best practices
Here are some guidelines you can use to determine strategies to protect your API keys.
- Avoid to use the wildcard
*
- allow API calls from everywhere on the web - as your Public API Key domain restriction. - Never use the same API key for client-side and server-side applications. In particular, do not expose your Private API Key on the front side.
- Delete Private API keys you no longer need.