When you create an application in the Hoiio Developer Portal, you will be assigned an Application ID (app_id) and an Access Token (access_token).
|Application ID||This is an identifier for us to know who is calling our API. It is linked to the application you have created at the Developer Portal.|
|Access Token||This is a secret key that represents an authorization for controlled access or usage of a Hoiio account by a particular application. Keep this key a secret. If you suspect your Access Token is compromised, dispose it and create a new one.|
You should keep your Access Token a secret. Anyone possessing the Access Token will be allowed to make API requests which might incur unauthorized charges to the rightful owner.
Like passwords, not sharing the Application ID and Access Token to anyone else is the best way of keeping your keys secret. However, you should avoid the common pitfall many beginner programmers fall into - unwittingly exposing the keys. The following highlight the do’s and don’ts to avoid such a mistake.
Do store your keys only in server-side code You should store the keys like how you would for your database password. It shouldn’t show up on a client’s browser.
Don’t embed your keys as hidden fields in HTML forms They show up when anyone view the page source.
Don’t embed your keys in codes that you will distribute The codes include desktop and mobile applications. The keys can be retrieved with reverse engineering. Likewise, obfuscation does not help.
Don’t embed your keys in Flash ® There are ways to reverse engineer the compiled binary back into source code. The keys will then be in plain sight.