Proper use of the client.js library

I’ve been playing around with the client.js library and webhooks. It seems the client.js library requires my own API key to get it started.

Then, when a user is authenticated through the pop-up I can inspect window.Trello.token() and see their token.

If I have a user that authenticates via the popup and I pass the derived token value to a post like so

var paramObj = {
                    token: tok,
                    description: "desc",
                    callbackURL: "https://someurl",
                    idModel: "abc123"
                }'/webhooks/', paramObj, hookSuccess, hookFail)` 

will that not just get created on my account because the client.js library is using my API key?

I’m confused here and if anyone can provide clarity I would greatly appreciate it!

@bentley - This might be an easy one for you so I thought I’d tag you.

Think of an API key as being an application. If it is the API key that is tied to your account (you got it from, then you are the admin of the application. You prompt users via the authorization flow to grant access to their accounts to your application. This generates a token that can be used to access the user’s account. As an application admin, you will have a single API key that has been used to generate many tokens. Each token belongs to a single user (of which, one could be your own personal user!).

In the case of creating a webhook, you can think of the webhook as belonging to your API key. But the token is used to determine whether the user you’re creating the webhook on behalf of has access to the object that you’re wanting to “watch.”

So if you are creating a webhook for a board that your personal user already has read access to, then yes, you’ll use your own user’s token and your API key.

1 Like

Thanks @bentley, should I be worried about having to hard-code my API key into the application? Anyone with an inspector could see that.

Nope. API keys are intended to be public.

1 Like