Wait... There's an API?
For those of you that missed the announcement back in April, both AdvertPro and AdvertServe now have a complete data management, code generation and reporting API. What can you do with the API? Just about anything that you can do with the control panel. In fact, our control panel is running on top of the API, which means you could even go so far as to build your own. More commonly the API can be used for integration with other systems and automation of bulk operations.
For more information, please visit our developers page to access the API documentation.
Protect Your Secret Key
- Create a script using your language of choice (Java, Perl, PHP, Ruby, etc...) on your server that makes the request to the API and outputs its response.
- Your secret API key should be stored in the script or in a file or environment variable that it can read.
- Restrict file system access to your script or other file(s) where your secret API key is stored to only the necessary system users.
This accomplishes the goal of keeping your API key a secret because it does not need to be transmitted to the client.
Restricting API Access
The API settings allow you to restrict access by IP address. This should be used to permit only the systems that need to use the API to connect to it. Like the IP address targeting in AdvertPro it supports range matching. For example, if you enter 192.168.1. it will allow access from 192.168.1.0 through 192.168.1.255 or if you need to target a smaller group of IP addresses entering 192.168.1.[8-16] would only allow access from 192.168.1.8 through 192.168.1.16. Just make sure to only put one IP address or range per line in the box when entering them.
Even though you are restricting access by IP address and not exposing your secret API key to the client, it is still a concern that data is being transmitted to and from the AdvertPro or AdvertServe servers over the public Internet. It might hop over 20+ servers before it gets there. If any one of those servers along the way is compromised an attacker could capture your secret API key and more importantly all of the data that you're transmitting back and forth.
What can you do to stop that? The same thing you do to protect financial transactions: use HTTPS with an SSL certificate. This encrypts the data going back and forth between the API so that it can't be read by anyone who might be attempting to listen in.
With AdvertServe getting an SSL certificate is easy. Just contact support and ask them to set up SSL for your account. It only takes a few hours to set up and it's only $10/month! This will also secure your control panel and enable you to serve ads to secure pages as a bonus.
AdvertPro users will need to purchase and install an SSL certificate with Tomcat or Apache if they're using mod_proxy_ajp. Our recommendation is the Standard SSL certificate from GoDaddy. It's only $69.99/year and it's guaranteed compatible with Tomcat, which is something I can't say for many other SSL vendors. Many of them claim their SSL certificates will work with Java applications but they don't and SSL certificates are generally non-refundable. Don't say you weren't warned!
In the coming weeks I will be writing several articles about using the API for various purposes. Security comes first though. Some of the things that I plan on writing about will include creating advertiser and publisher signup forms, bulk zone creation, bulk changes to campaigns and media and how to create a script to e-mail PDF reports to you. If you have anything else that you'd like to see an example of, please comment!