Stand-alone tokens
Stand-alone tokens are placed inside the client application and used in the API calls to the ELSA servers. This is the least secure of the options discussed in this document, as the customer does not have any control on what the end client does with the token if they are able to find it inside the application. While we do not recommend this approach, this is the easiest one to implement at the client side, and we understand that sometimes is the only reasonable solution (e.g. when the client application does not require for the user to authenticate himself with the customer servers to use the API).
On the ELSA side we are doing the following to ensure your ELSA token is not abused:
- We apply reasonable rate limiting to calls coming from the same origin IP
- All communications are done using HTTPS protocol
To increase security in this implementation, you should make sure that:
- If possible, pass the API_token in a header instead of as a query parameter (both are possible in our API)
- Obfuscate the ELSA token inside the application code, so that it is difficult for an end user to find it and reuse it
- If your ELSA token has been compromised, replace the ELSA token in your app right away (you can either use the ELSA token API described below or request a new token to us) and expire the old token as soon as possible (for now you can contact us to expire it for you - an API will soon be provided to automate this step).