SDK Authentication with Secure Mode (using Server-Key)

Greetings y’all!

We’re trying to implement a chat system within our app, without exposing the APIKey on the client-side.
We’re able to generate a get an accessToken from the server-side by calling

  • /api/v3/authentication/token?userId=${userID}
  • /api/v3/sessions

The thing is, front-end wise, in order to use the typescript-SDK, we need to have an active client instance, which can only be created using an API Key.

  • We tried passing an empty APIkey string and set the accessToken value (Didn’t workout)
  • Using the createAuthToken (No active client instance)

How may we proceed? Any insights are welcome!
We’ve looked in the Security-Settings but the Getting-Started part doesn’t tackle how to use accessToken with the SDK, without an APIKey

We noticed there’s also this OpenAPI Spec. Does it mean that, once we start using the secure-mode, the SDK becomes obsolete and we would have to wrap the API/generate an SDK on our own?

Hi @Teldrassil, After turning on the secure mode, then you will have to store the given server key in your api and when authentication get called from FE, you can then send to that api to get auth token. However, you will still have to to pass your apikey along.

https://api-docs.amity.co/#/Authentication/get_api_v3_authentication_token

@amitysupport Thank you for your answer!

Wouldn’t that still allow people to execute malicious operations as they know the API-Key from frontend?

Hi @Teldrassil No, it wouldn’t. Other people won’t be able to execute this, because all api and sdk are required access token. On top of that, if you turn on the secure mode, it’s required authentication token (which is required api with server key called)