search

mailgun / validator-demo

Mailgun email address jquery validation plugin http://mailgun.github.io/validator-demo/
Apache License 2.0
257 stars 80 forks source link

Exposing API Key to the Public #3

Closed barefootdeveloper closed 9 years ago

barefootdeveloper commented 9 years ago

Am I correct in stating that by putting the API key in a jQuery plugin it'd allow for people to send emails on my behalf provided that they new the domain of the account?

It seems like all they'd have to figure out is the domain which would be in the header information for all the emails sent.

Am I overlooking something or should we really have a client validation API key in addition to a sending email api?

russjones commented 9 years ago

You use your public-key [1] with the validation API which is not enable you to send emails.

[1] This is a somewhat poorly named key, it's not a public-key in the public key cryptography sense, but public in the sense that you can expose it to the public because you can't send emails with it.

barefootdeveloper commented 9 years ago

I guess what confuses me is when I'm in the control panel I only see a single API key and if you look at their CURL example for sending e-mail it utilizes that same key.

curl -s --user 'api:key-3ax6xnjp29jd6fds4gc373sgvjxteol0' \ 
https://api.mailgun.net/v3/samples.mailgun.org/messages \
 -F from='Excited User <excited@samples.mailgun.org>' \
 -F to='devs@mailgun.net' \
 -F subject='Hello' \
 -F text='Testing some Mailgun awesomeness!'

It utilizes that same key. Is there another key that I'm missing in the control panel?

russjones commented 9 years ago

If you login your your account you will see under a section titled "API Keys" a Secret API key and Public API key. The example you posted is using the Secret API key which you should not share. The email validation service uses the Public API key.

barefootdeveloper commented 9 years ago

I found it, I kept looking under domain and simply saw the single API and then when you said my account I looked under Account Settings, finally I noticed a My Account breadcrumb and clicked on that and realized it went back to the Dashboard and there it was.

Sorry for the stupid question.

jeffreykemp commented 6 years ago

Mailgun provides two types of API keys that can be used to access the email validation API: Public Validation Key - Suitable for use in client-side web applications, such as through the jQuery plugin. Private API Key - To be used in backend applications where there is not a risk of key exposure. Mailgun recommends that you use the private key. When using the public validation key, you should set a rate limit to mitigate usage if your key is compromised. This limit can be set in your Account Settings.

stephen-tenorless commented 8 months ago

private key is not displayed . has it been deprecated ?