We have a bit of a security issue which concerns us.
A third-party developer is building a site which will allow users to subscribe to a list which we host on our CM account for a client.
In order to subscribe new users the Developer needs all 3 API keys (Our main one, Client key and List key). But as far as I can see by giving the main API key we are giving the external developer complete access to all our account including all other clients, records of sales etc etc.
Is there a way to avoid this?
For subscribing users to a list i'm not sure why the clientID is needed, but that's not really the point. There's obviously functions i'm not aware of.
In any case, it is possible to lock the developer down to only the functionality for that one client by obtaining an ApiKey which is specific to *just that client*. If you plug in your site address along with the client's username & password it will send back the client-specific api access key which you can use in place of the main API key.
If they use that they won't be able to create clients, get lists of clients etc, They're locked down to the actions on that client - creating campaigns, lists, signups, etc.
Thanks Phil, that answers that perfectly.
An update to this query. The third-party developer is using this Wordpress plugin http://www.campaignmonitor.com/downloads/wordpress-contact-form-7-plugin/ mentioned on your site which requires all 3 keys. Will the method you suggested above work ok for this?
I can't think of any reason why a plug-in for list management should ever need to use account-level actions, so it *should* work. But in the end, there's no substitute for just trying it out. Give it a shot and let us know here how it goes :)
What is the dead simple way to hand a client their API key for integration with other services such as OneSaas?
I've searched documentation and forum relentlessly and cannot see a non-developer way to do this :-)
This is probably the simplest way, although i'll leave you to decide with it's dead or not ;)
If they go to http://api.createsend.com/api/v3/apikey … tesend.com (making sure you change 'yoursiteaddress' to, um, your site address) and enter their username and password they'll get their client-specific API key returned. That'll return it as XML, and most browsers by default will return that in a readable enough format that they'll be able to copy the ApiKey portion for entry into 3rd party integrations.
Hope that helps,
That is fantastic. Thank you for posting this helpful instruction Phil!