I've just had a quick play with the API (Great work - looking forward to making some stuff with it!) but have hit a snag when trying to build a client-side application in JavaScript (making requests to the API).
JSONP/Callback Support
We might be able to do this. It would be trivial to implement on our end. I'd like to think about potential security issues with this prior to saying yes or no. One thing that comes to mind is that anyone who uses your app has access to your API key. That's not a huge concern, just not something we really anticipated.
I'll respond again soon with a yes or no.
That's understandable - I suppose there are security problems.
I'd like something like this, as well. Could it just be recommended practice that app developers not distribute their API key with their app? i.e. a step in the installation of your app would be to edit the API key. My use-case is a little JS utility that can be loaded onto web pages and show tool-tips with game, franchise, character, etc. info - kind of like WoWHead's script: http://www.wowhead.com/?powered
"I'd like something like this, as well. Could it just be recommended practice that app developers not distribute their API key with their app? i.e. a step in the installation of your app would be to edit the API key. My use-case is a little JS utility that can be loaded onto web pages and show tool-tips with game, franchise, character, etc. info - kind of like WoWHead's script: http://www.wowhead.com/?powered"Basically, the user would have to provide their own API key? I was thinking that too, but you'd have to make sure your users know how to get one.
Basically, the user would have to provide their own API key? I was thinking that too, but you'd have to make sure your users know how to get one."Right. They've made it really easy to get a key, so hopefully it wouldn't be too big of a deal. I believe Flickr has handled this well (i.e. http://api.flickr.com/services/feeds/photos_public.gne?tags=cat&tagmode=any&format=json&jsoncallback=? ) but I believe they've also got a limited API if you're not using an API key - which may be more than Whiskey is looking to do at this time.
"My use-case is a little JS utility that can be loaded onto web pages and show tool-tips with game, franchise, character, etc. info - kind of like WoWHead's script: http://www.wowhead.com/?powered"Fantastic idea!
The problem Andy raised is that with a JS implementation (no matter who's API key it is...), it's still visible to the world."Yeah, that's a very good point. I think the allowed domains idea may be a good workaround, if that's something you guys are interested in doing.
doogiemac: Awesome idea. I'm a huge fan of WOWhead. Something similar for GB is a great use for the API.
As TheBeast said, my only real concern is that the API key can easily be seen by the world if it's in JS. Maybe that's not a huge problem. I'll come up with something today and reply back to this thread.
There's an interesting article here about API authentication - although it's more to do with handling user data in an API, it might give you some ideas.
Agreed. I've gone ahead and added jsonp support. Updated the documentation to be a little more clear about responses, formats, etc.
For jsonp, just do: http://api.giantbomb.com/game/1/?api_key=<your key>&format=jsonp&json_callback=<your callback name>
Let me know if there's any problems.
Please Log In to post.
Log in to comment