Skip to main content
All CollectionsWorkspace Administration
Why do we use Permitted URLs? • Protecting your API Keys
Why do we use Permitted URLs? • Protecting your API Keys

What are Permitted URLs and why are they important?

Shake Typing avatar
Written by Shake Typing
Updated over a month ago

It's well known that API keys are essential for integrating services. But web apps come with a unique challenge: API keys are much more accessible in the browser, which means anyone can potentially find and misuse them. That’s where Permitted URLs come in - a straightforward way to make sure your Shake API key only works on the sites you trust.

How permitted URLs keep your API key secure

If you’re using our mobile SDK, security is pretty tight by default, as each API key is tied to a specific bundle_id. So, unless someone gets access to your actual mobile app, it will be very tricky for them to steal and misuse that key. Web apps, however, don’t have this luxury. Since everything is client-side, your API key is just sitting there in the browser, visible to anyone who opens and knows their way around the browser.

Without protection, someone could easily copy your API key and use it elsewhere. Permitted URLs prevent this by allowing requests from only the URLs you specify. So, even if someone does find your key, they’ll have a bad time if they try to use it outside your permitted domains. It’s a simple but effective way to minimise risk without complex workarounds.

Extra control with API key management

While Permitted URLs are a solid layer of security, we know it’s impossible to eliminate all risks entirely. That’s why Shake also offers API key management. You can create and manage multiple API keys, so if one is ever compromised, it’s easy to revoke it and generate a new one. This gives you an extra layer of control and lets you respond quickly if you detect unusual activity.

To sum up

Permitted URLs let you control where your API keys can be used, adding a critical security measure for web apps. By limiting your API key’s functionality to specific URLs, you reduce the risk of unauthorised use. Combine this with our API Key Management, and you’ve got a robust setup to help keep your integration secure.

Did this answer your question?