Make api key only work on one domain?

is there a way to make the api key only work on one domain? scared of someone stealing it and getting all my data as no matter how secure i make it there will always be a way around it, and i want my customers to be as secure as possible

If you change the domain in the API request, but keep the same API key you will find that the API is not successful.
This will confirm that the API key will only work in the domain that you created it in.

Thankfully, syncro have made it possible to restrict what each API key has access too.
Though stealing the API key will always be a problem until Syncro enhance the security config for the API.

  • Oauth2

  • Key expiry

  • IP restrictions

  • Logging when the API is used, and allowing Syncro customers to access/monitor those logs.

BTW: Where are you putting your API Key is also important. Are you storing it in scripts?

1 Like

Thanks,
so i am trying to make a self-service for my service plans on my website, but no matter which option i go down there will always be a way to steal the API key and with it all of the customer data. looked into storing it in a .env file but that has flaws, in a database, same flaws, but with googles api you can restrict which domains can use the api but i cant find this feature in synchros

ahhh, I understand your problem now.
I suggest you find a way to store (and access) your API key in Azure Key Vault.
Then you can lock down requests for the API key to the IP Address of your website using conditional access.
Azure Key Vault security overview | Microsoft Docs
I’m yet to use Azure Key Vault in any serious way, but it would be worth a look.

If your programming skills allow for it, you might alway consider building a API proxy on top of the Syncro APIs.
I would use WCF .NET or gRPC .NET for this, but there are lots of other options too.
This way you can choose which API fields for each Syncro API can be retrieved by your website.
For example, the Syncro API /customers retrieves all the contacts, phone numbers, contracts, and addresses with a single API for all customers. Not a great design, but that is all we have.

You could create a ForFar API called /get_cust that under the hood calls the Syncro API /customers but strips out the contacts, phone numbers, contracts, and addresses before sending any data to your website, if that is what you want.
In your proxy you could also code in logging, monitoring and alerting.

Also consider your website.
Who hosts it?
How is it secured?
Who is monitoring it?

Personally I would get a cloud VM that you 100% manage, install Plesk, install Imunify360 and the autoupdating version of Wordpress Toolkit.
If you use a VM hosted in Azure, then that might make it easier for your Website to access the Azure Keyvault.

Syncro hasn’t done well in this area to make it easy to do what you are wanting to do.
There is lots of work to do. Depends on how secure you want to go.

Hope this helps.

thankyou i very much appreciate your reply, it has given me lots to work with, the api proxy was something i was thinking about so may go down that route. from my current research it seems that quite a lot of websites have accepted one flaw over another and there is obviously no true way to hide it, someone will get in but yes moving to a more secure platform is a good idea currently with ionos but not too impressed lots of phishing ect, i had an idea to store bits of the api key across the internet in images uploaded to different platforms but also quite alot of work, if only the zapier integration would get some love its so close to what i need

Proxy is probably the wrong word to describe what I’m talking about.
In the past I have used .NET WCF.
Even though Microsoft have declared WCF Server is out of support, this simple code can still be used as a demonstration/example, and you can write WCF code in Visual Studio. There is plenty of articles online about how it works.
Tutorial: Implement a Windows Communication Foundation service contract - WCF | Microsoft Docs

Changing that for you to get a customer name could be code like below.
Your website calls (https://myServer.com:8000/mySyncro/getCustName?custID=1234)
and gets the customer name from Syncro via your CustomSyncroService.
The response will come back as XML SOAP (not REST JSON). Though it is possible to get a response back as JSON, but harder to implement.

I good thing about WCF is that authentication, authorisation and restricting by source IP address are all things that are in built features of WCF.

There is a bit more to it, to get a full .Net WCF service going, especially if you want to get it self hosted as a Windows Service with SSL support and Let’s Encrypt certificates. …but as I’ve done it, I know it is doable.
This is merely some hints to get you started.

public interface ICustomSyncro
{
[OperationContract]
string getCustName(custID);
}
public class CustomSyncroService : ICustomSyncro
{
public string getCustName(string custID)
{
string api_key = getKeyFromAzure();
string customerName = getSyncroCustomer(custID,api_key);
return customerName;
}

getKeyFromAzure is a sub routine you would write to get your API key out of Azure.
getSyncroCustomer is a sub routine you would write to call the Syncro API.
Of course you would need to host this code as an application on your own Windows box, but hiding that behind a firewall and locking it down shouldnt be too difficult for anyone here.

1 Like