PricingDocsAcademy
Bluesky ...
Wed, Dec 11, 10:05 PM

API Calls, Keys and Security

  • Zaj

    2 months ago

    Hello,
    I've recently joined the movement 🙂 and been working daily in Toddle but I have a couple of questions:
    1. By default, are the API calls made client-side or server-side in Toddle?
    2. If the APl I'm using requires authentication, can I simply use it in Toddle? Will the authentication be handled server-side or client-side?
    If it's client-side, what's the best practice for storing the APl key securely? Is storing it in a cookie the best approach or are there other methods you would recommend? Thanks for your help!
  • Lucas G

    2 months ago

    1) As of now, APIs with "auto fetch" turned on AND at a page level are fetched server-side. APIs in components always run client-side.
    This however will change in the upcoming update to APIs which will give you the option of choosing when the API runs, regardless if it is at page or component level
  • Lucas G

    2 months ago

    There's different parts to the auth question
  • Lucas G

    2 months ago

    If it requires a login, like connecting to Supabase, Xano, etc, then the session cookie is set via action and is sent with the requests when you proxy the call through toddle's servers
  • If you don't proxy the call, the session cookie won't be sent. You cannot read these cookies client-side as they are typically http only
  • If you are referring to an API key like say for OpenAI or similar, those are not securely stored anywhere and would be available on client-side
  • So best practice is to make those type of requests from a backend

Stop scrolling. Start building.

toddle is a visual web app builder that rivals custom code — but accessible to your entire team!

Try toddle — it's free!

© Copyright 2024 toddle. All rights reserved.