Retrieving Session Key

Khoros Oracle

4 years ago

Hi Shery,

Here is an article that walks you through getting a REST session Key and including it in an API request:

https://developer.khoros.com/khoroscommunitydevdocs/docs/session-key

You should avoid storing the API session key in the browser and you don't have to make API calls using an API session key if you are making them from a community page.

If you are on a community page and you don't pass an API session key, then it should be made as the currently signed-in user for the page (with checks to prevent XSRF). Always use HTTP POST for calls that modify data (such as message posting) and never make the call on page load (always require a form submit).

You could also do these server-side via a studio endpoint and it would use the current user's community web session to authenticate them. If you do that, make sure to add checks in the endpoint that only allow HTTP POST (and doesn't allow GET) and also add some kind of XSRF protection.

Don't make API or Endpoint calls that modify data during page load (always require a form submit).

If you are calling the API from a different domain then you should make a server-to-server call with the API session key, but never store the key in a browser.

I hope this helps.

-Doug

Forum Discussion

Retrieving Session Key

Related Content

REST API. Cannot retrieve Session key.

Retrieving Session Variable Profile.Language

Issue in getting the session key.

Passing session key to end point

Queries related to session key

Recent Discussions

API v1 docs gone since Atlas migration to Aurora

Does anyone know how to change the display title of Custom Fields in Aurora?

Can someone walk me through authenticating and using Postman with Aurora?

Seeking Advice on Restricting Access to a posts to those who have the permalink.

TinyMceEditor is undefined