It's well known that API keys are essential for integrating services. But web apps come with a unique challenge: API keys are much more accessible in the browser, which means anyone can potentially find and misuse them. That’s where Permitted URLs come in - a straightforward way to make sure your Shake API key only works on the sites you trust.
​

If you’re using our mobile SDK, security is pretty tight by default, as each API key is tied to a specific bundle_id. So, unless someone gets access to your actual mobile app, it will be very tricky for them to steal and misuse that key. Web apps, however, don’t have this luxury. Since everything is client-side, your API key is just sitting there in the browser, visible to anyone who opens and knows their way around the browser.

Without protection, someone could easily copy your API key and use it elsewhere. Permitted URLs prevent this by allowing requests from only the URLs you specify. So, even if someone does find your key, they’ll have a bad time if they try to use it outside your permitted domains. It’s a simple but effective way to minimise risk without complex workarounds.
​

While Permitted URLs are a solid layer of security, we know it’s impossible to eliminate all risks entirely. That’s why Shake also offers API key management. You can create and manage multiple API keys, so if one is ever compromised, it’s easy to revoke it and generate a new one. This gives you an extra layer of control and lets you respond quickly if you detect unusual activity.
​

Permitted URLs let you control where your API keys can be used, adding a critical security measure for web apps. By limiting your API key’s functionality to specific URLs, you reduce the risk of unauthorised use. Combine this with our API Key Management, and you’ve got a robust setup to help keep your integration secure.