API keys

API Keys provide programmatic access to the Mambo APIs. They function similarly to administrator accounts, allowing you to configure specific levels of access across all your sites or to individual sites. For details on managing permissions, see the Administrators documentation.

When creating a new API Key, you can choose between OAuth or JavaScript key types, each serving different integration needs.

OAuth keys

OAuth keys are designed for back-end or server-to-server integration. They provide enhanced security by implementing the OAuth 2.0 client credentials flow to authenticate your API requests.

For detailed information about authenticating with OAuth keys, refer to the Authentication section in the API & SDK Documentation.

JavaScript keys

JavaScript keys enable requests to the JavaScript APIs or through widgets. For optimal security, JavaScript requests should be routed through a proxy that validates user authentication and authorisation.

You can configure write permissions for JavaScript keys using the JavaScript security settings.

Approved URLs

JavaScript keys include an additional security feature called Approved URLs. This is a list of URLs from which Mambo will accept JavaScript API requests.

The approved URLs support the asterisk (*) as a wildcard character to match any value, allowing you to specify both exact URLs and pattern-based matches. Examples include:

• https://acme.com/my/webpage (exact match)
• https://*.acme.com (matches any subdomain)
• https://acme.com/my/path/* (matches any page after /my/path/)
• https://.acme.com/ (matches any acme subdomain and any path)

During development, when working safely behind a firewall that prevents external abuse of the JavaScript APIs, you can use the wildcard character alone to permit requests from any URL. While this approach simplifies development, it should be avoided in production environments for security reasons.

Security best practices

When managing your API keys, consider these security recommendations:

• Rotate keys periodically to limit potential exposure
• Store keys securely and never commit them to public repositories
• Limit key permissions to only what's necessary for each integration
• Use different keys for development and production environments
• Monitor API usage to detect potential unauthorised access

---

Related topics

• Administrators
• User authentication
• Widgets