How to Use Custom API Keys

by on April 13, 2020

Custom API keys may not seem like the most exciting feature of Backendless, but the flexibility that they provide is extremely valuable. In this article, we are going to take a closer look at this unheralded feature.

API Keys For Different Apps

The business type that benefits most from custom API keys is any model that utilizes multiple different applications for different groups of users or user roles. Let’s take a look at two examples.

Ride-Sharing App Example

Let’s say you have a ride-sharing business like Uber or Lyft. You offer one application for your customers and one for your drivers. These apps provide different user interfaces but they still utilize a lot of the same data.

With custom API keys for Backendless, you can use a different API key for each of the apps. When you create a custom API key in Backendless, a new security role is automatically generated. You can then modify that security role to limit access to certain data, files, and functions in the backend. The backend will then automatically apply the appropriate security policy based on the role associated with the API key.

Thus, when a user creates an account or logs in, they will receive an API key based on their user type which the backend will use to control their access. This protects your data and backend functions from being inappropriately accessed.

Create Custom API Key and Automatically Generate Security Role

Let’s go back to our example to better understand this idea. Let’s say your ride-sharing business has two apps, one for drivers and one for riders. Both parties need access to:

  • Pickup location
  • Dropoff location
  • Total cost of the trip
  • Pickup time
  • Estimated dropoff time
  • Expected route
  • Driver’s rating
  • and so on.

The passenger needs access to:

  • Personal profile information
  • Credit card/payment information
  • Personal ride history

The driver needs access to:

  • Payment breakdown – how much the driver gets vs. how much the business takes
  • Personal driving history
  • Future stops
  • Hours driven
  • Detail ratings

As you can see, there’s plenty of data that both parties should be able to see, but there are also important elements that each party needs that should not be visible to the other. Custom API keys – and the associated custom security roles – allow you to provide access to only the data and functions that a given user is allowed to work with.

By adjusting the security policy in Backendless, you do not need to implement any custom safeguards in your code. Instead, all you have to do is manage a few API keys and security settings, then let your backend handle it. Much easier, right?

Adjust Permissions

For a great example of this feature in action, check out our Backendless Spotlight on FindReps.

Restaurant Delivery App Example

Let’s take a look at another example. In this instance, we may have three different applications, not just two. Let’s say we have a business model that supports food delivery, such as Grubhub or DoorDash.

For a business like this, you may have three separate applications: one for restaurant owners, one for delivery drivers, and of course, one for shoppers. All three parties need access to:

  • Customer order
  • Delivery location
  • Estimated delivery date/time
  • Order cost

Both the restaurant and driver need to know:

  • Breakdown of customer payment – How much does the driver, restaurant, and app company make?
  • Pickup time – When will the order be ready?

Both the driver and customer need to know:

  • Tip amount

Once again, there is select information that only certain parties need, while the bulk of the information is shared by all three. And once again, the best way to restrict data is through security roles applied by the backend.

Custom API keys are just one feature in Backendless that helps you craft the perfect backend for your business needs. If you have any questions about this tool, please visit our support forum or Slack channel.

Thank you for reading and Happy Coding!

Leave a Reply