AdvertServe offers all its users a complete data management, code generation and reporting API.
What can you do with the API? Just about anything that you can do with the control panel. In fact, our control panel is running on top of the API, which means you could even go so far as to build your own.
More commonly the API can be used for integration with other systems and automation of bulk operations.
For more information, please visit our developers page to access the API documentation. Here are a few best practices to protect your API:
1. Protect Your Secret Key
Especially if the page is located on a publicly accessible web site. All someone needs to do is view the source code of the page and they can easily steal your secret API key and start wreaking havoc on your data!
- Create a script using your language of choice (Java, Perl, PHP, Ruby, etc…) on your server that makes the request to the API and outputs its response.
- Your secret API key should be stored in the script or in a file or environment variable that it can read.
- Restrict file system access to your script or other file(s) where your secret API key is stored to only the necessary system users.
This accomplishes the goal of keeping your API key a secret because it does not need to be transmitted to the client.
2. Restricting Access by IP
The API settings allow you to restrict access by IP address. This should be used to permit only the systems that need to use the API to connect to it.
These IP restrictions can be further configured to support range matching. For example, if you enter 192.168.1. it will allow access from 192.168.1.0 through 192.168.1.255 or if you need to target a smaller group of IP addresses entering 192.168.1.[8-16] would only allow access from 192.168.1.8 through 192.168.1.16.
Just make sure to only put one IP address or range per line in the box when entering them.
3. Preventing Eavesdropping
Even though you are restricting access by IP address and not exposing your secret API key to the client, it is still a concern that data is being transmitted to and from the AdvertServe servers over the public Internet.
It might hop over 20+ servers before it gets there. If any one of those servers along the way is compromised an attacker could capture your secret API key and more importantly all of the data that you’re transmitting back and forth.
What can you do to stop that? The same thing you do to protect financial transactions: use HTTPS with an SSL certificate. This encrypts the data going back and forth between the API so that it can’t be read by anyone who might be attempting to listen in.
With AdvertServe, all accounts are automatically secured via SSL. This ensures that all data is encrypted as it travels across servers.
What are your API use cases? Drop us a line and let us know how the an ad server API can best serve your needs.