Security when allowing access to API issue

Hi all,

We have a bit of a security issue which concerns us.

A third-party developer is building a site which will allow users to subscribe to a list which we host on our CM account for a client.

In order to subscribe new users the Developer needs all 3 API keys (Our main one, Client key and List key). But as far as I can see by giving the main API key we are giving the external developer complete access to all our account including all other clients, records of sales etc etc.

Is there a way to avoid this?

Thanks

Phil Phil, 4 years ago

G'day,

For subscribing users to a list i'm not sure why the clientID is needed, but that's not really the point. There's obviously functions i'm not aware of.

In any case, it is possible to lock the developer down to only the functionality for that one client by obtaining an ApiKey which is specific to *just that client*. If you plug in your site address along with the client's username & password it will send back the client-specific api access key which you can use in place of the main API key.

If they use that they won't be able to create clients, get lists of clients etc, They're locked down to the actions on that client - creating campaigns, lists, signups, etc.

SelectMailer SelectMailer, 4 years ago

Thanks Phil, that answers that perfectly.

Regards


********************************************
SelectMailer www.selectmailer.com
********************************************
SelectMailer SelectMailer, 4 years ago

Hi Phil,

An update to this query. The third-party developer is using this Wordpress plugin http://www.campaignmonitor.com/downloads/wordpress-contact-form-7-plugin/ mentioned on your site which requires all 3 keys. Will the method you suggested above work ok for this?

Regards


********************************************
SelectMailer www.selectmailer.com
********************************************
Phil Phil, 4 years ago

I can't think of any reason why a plug-in for list management should ever need to use account-level actions, so it *should* work. But in the end, there's no substitute for just trying it out. Give it a shot and let us know here how it goes :)

tGriffin tGriffin, 4 years ago

What is the dead simple way to hand a client their API key for integration with other services such as OneSaas?
I've searched documentation and forum relentlessly and cannot see a non-developer way to do this :-)

Help?


Find me on twitter @learnerslife

Mission: Communicate on facebook
Phil Phil, 4 years ago

Hi tGriffin,

This is probably the simplest way, although i'll leave you to decide with it's dead or not ;)

If they go to http://api.createsend.com/api/v3/apikey … tesend.com (making sure you change 'yoursiteaddress' to, um, your site address) and enter their username and password they'll get their client-specific API key returned. That'll return it as XML, and most browsers by default will return that in a readable enough format that they'll be able to copy the ApiKey portion for entry into 3rd party integrations.

Hope that helps,
Phil

tGriffin tGriffin, 4 years ago

That is fantastic. Thank you for posting this helpful instruction Phil!


Find me on twitter @learnerslife

Mission: Communicate on facebook

Join 150,000 companies around the world that use Campaign Monitor to run email marketing campaigns that deliver results for their business.

Get started for free
1-888-533-8098