Webcams V3 token for images

senaika

Hi Windy,

With the new V3 API, we now need to retrieve a token to access the url of the webcam images. I understand the purpose of securing the urls, but why not simply use our API key to retrieve those urls instead of this token?

We now have to save a token somewhere, which means more ressources usage (write on disk every x hours), which is not very ESG compliant. The API key would be enough to secure those urls, in my opinion. Any reason on why to use a token instead ? There are many other way to secure access to data without the struggle to collect a token every time.

Thank you for any clarification on this technical choice.

kekert

Hello @senaika, the reason for that is simple. If the images were protected by an API key, it could be easily stolen, and since it usually has unlimited validity, it could then be misused by whoever reads the network communication. The token, on the other hand, has limited validity and is bound to a particular URL.

@senaika said in Webcams V3 token for images:

There are many other way to secure access to data without the struggle to collect a token every time.

If you know about a better way how to secure the publicly available urls, please, let us know.

senaika

@kekert Thank you for your reply.

I'm far from being a security expert ;) but most API I used always relied on an API key or a signed certificated to protect their data.

If we assume the key could be stolen by reading the network communication, I don't see how the token would increase security. A hacker could always still the key, and make the urls requests to collect the token. Also, your other API (forecast, map) doesn't seem to have a token to protect the data, which is why I'm surprised with this token implementation for the image urls.

My main pain point with your current solution is that we have to save a token for every single image url, and then calculate when we have to collect it again.

kekert

@senaika if your API requests wouldn't be exposed (you would call them server side), that could work. But this is not the case, those requests for webcams API are usually called directly from the client. Also, url for actual webcam image is stable, without expiring tokens, you would get access to latest images forever.

@senaika said in Webcams V3 token for images:

My main pain point with your current solution is that we have to save a token for every single image url, and then calculate when we have to collect it again.

You don't have to save the token, it is already in the url. All you have to do is to call the API before each page load (in order to have urls of the images with fresh tokens)

senaika

@kekert said in Webcams V3 token for images:

You don't have to save the token, it is already in the url. All you have to do is to call the API before each page load (in order to have urls of the images with fresh tokens)

OK cool. I thought the token was also designed to minimize API usage.