Security

When working with the Chargetrip API, your keys can be visible to anyone who makes an effort to look for it. That is why we recommend adding a layer of restrictions to build secure applications and prevent unauthorized use.

Note
We recommend you to always add an app id with the appropriate restrictions.

Application keys

When configuring new projects, creating applications or editing applications you can set up your security. You can use HTTP referrer, Android fingerprint and iOS bundle identifier restrictions. By default it's set to use no restrictions. Be aware you can only set one restriction type per application ID.

HTTP referrer

A HTTP referrer allows restriction to URLs that can use an application ID / x-app-id. This is useful when building any type of web application. You can add as many URLs to a single application as you would like.

Here are some examples of URLs that you can allow to set up a referrer:

  • A specific URL with an exact path: www.example.com/path
  • Any URL in a single domain with no subdomains, using a wildcard asterisk (*): example.com/*
  • Any URL in a single subdomain, using a wildcard asterisk (*): sub.example.com/*
  • Any subdomain or path URLs in a single domain, using wildcard asterisks (*): *.example.com/*
  • A URL with a non-standard port: www.example.com:8000/*
Note
Query parameters and fragments are not supported. When added, they will be ignored.

IP Addresses

You can restrict access to the API by adding IP addresses to an allow list. This is useful when you use a backend application to proxy requests to another (frontend) application or when you use a GraphQL querying tool. You can add as many addresses or masks (e.g. 192.168.0.1/24) as you would like.

Android fingerprint

To restrict the use of an application ID on Android, you will need to provide your application identifier and debug / release certificate fingerprint. To use this restriction, you will need to send your identifier and fingerprint with every request by using the x-app-identifier and x-app-fingerprint headers.

Your application identifier can be found in your modules build.gradle file. To obtain your release or debug fingerprint use any of the following commands;

Security / Linux | macOS (debug)
keytool -list -v -keystore ~/.android/debug.keystore -alias androiddebugkey -storepass android -keypass android
Security / Windows (debug)
keytool -list -v -keystore "%USERPROFILE%\\.android\\debug.keystore" -alias androiddebugkey -storepass android -keypass android
Security / Linux | macOS | Windows (release)
keytool -list -v -keystore your_keystore_name -alias your_alias_name

iOS bundle identifier

An iOS bundle identifier can be used to restrict the use of an application ID / x-app-identifier on any iOS application. To use this restriction, you will need to send your bundle identifier with every request by using the x-app-identifier header.

The bundle identifier is a unique identifier within the Apple ecosystem and uses a reverse domain notation. Here is an example of such identifier; com.example.app.ios.

To look up your identifier navigate to project > targets > general in your Xcode project.