Api key generation (Client Secret key for your account): Tutorial

Video tutorial followed by text explanation on all the permission aspects.

 

Use of API key – To use vdocipher on with your website or app, your server program needs to communicate with the vdocipher server to to allow a video to playback or upload video or get list of videos matching a search. The server can be a CMS platform such as WordPress or Moodle; or a custom website such as PHP, Nodejs, C# or Ruby.

Keeping the keys safe

Your account password can be used to login to your vdocipher account and do everything such as upload, search, play or delete the videos. So, you keep your password secret from others. Consider the API keys also as passwords to your account and sharing these with caution with your team members.

Your website and mobile app has a front-end and a back-end component. The front-end runs on your user-device.Never use your API key in the mobile app or website javascript code.It is as unsafe as putting your password on twitter.

What are permissions?

You can limit what information can be obtained from API using a given key by specifying the permissions. All keys have the viewer permission. This means it can read everything on the dashboard. It can not obtain other API keys and cannot play any video.

• otpCreator is specially made to be used on your server where you will generate temporary tokens so that your logged-in users can watch their videos.
• uploader permission allows uploading videos to your vdocipher account.
• editor is the highest permission and allows all video management and configuration changes other than adding or removing team members.

API secret key is required for your development so that your account on Vdocipher can be linked directly to your backend and dynamic URLs can be generated for more secure playback. It is also required as a setting in the plugin for WordPress and Moodle both.

These are the steps to generate API key-

1- Go to the “Security & Config” section.

2-Click on “Generate API Key”

3- Click on the copy option and copy the API key because it will be only visible to you one time.

4-The key has permissions like OTP creator and editor by default. You can change the permissions but it is recommended to keep it that way especially for Moodle and WordPress Users.

5- You can generate a maximum of 3 keys for an account. So if your old keys are not in use you can delete them.

6- Be careful while deleting a key because if you delete a key then any live playback with the secret key will be stopped.

How to rotate API Keys?

In case your API keys are compromised or you like to change passwords/security keys as your own policy, you should rotate the API keys. Follow the best practices for rotation of security keys. Below steps are just a recommendation, use your own judgement and consult your system-admins and developers before making any change.

1. If a key is not in use, delete them. After deleting, wait for some time to check that your application is working fine without the key. You should delete unused keys anyway, even if you are not rotating.
2. Ensure that the keys have only the minimum required permission.
3. Create a new key with the same permission as the live key.
4. Change the key on your server application. Restart the server process, if needed, according to your system operations policy.
5. Ensure that that new key is working correctly. You can wait as long as needed to verify that the key is correctly setup and working fine.
6. Delete the older keys and ensure that the website/app is working correctly afterwards.