Keeping your api pair out of source code

This tutorial gives you some guidance on how to keep you api key and pair outside of your source code, so when you generate them it does not cause you headache.

Why?

As we mentioned in our tutorial about getting the api key and api secret you have a limited number of requests that you can make against our football API. It poses a danger to you if someone finds out your API pair. This could lead to somebody else using your quota. Therefore, it is a good idea to keep your pair safe and regenerate it from time to time. However, if the api key and api secret are in the source code base, this could create potential problems when changing your api pair. Therefore, we advise in keeping the pair outside of your source codebase. There are two ways in which you can do that. The first option is a configuration file, and the second option is a database table.

Configuration file

Tons of applications use configuration files to set some system wide variables outside of the code base. An example of this will be .ini file. You can read more about this kind of files in wikipedia. Below follows an example of .ini file with our api key and secret pair written in.

LIVESCORE_API_KEY = demo_key
LIVESCORE_API_SECRET = demo_secret
Most modern programming languages have support for parsing and extracting data from .ini files. An example of this kind of language is PHP. We have listed an example of a PHP code that will give you the api key and api secret in variables in your PHP code.
$ini = parse_ini_file('path_to_ini_file'); // Will parse the contents of the ini file in the array
var_dump($ini['LIVESCORE_API_KEY']); // Will output the api key
var_dump($ini['LIVESCORE_API_SECRET']); // Will output the api secret
When you place the configuration in a separate file, you should make sure that this file does not end up in the source code version management repository. This may expose it to others if your repository is public. In the case of GIT you can put the filename in the .gitignore file so it does not get picked up when you do commits and pushes. In case you are making a web application accessible through a network, it might be a good idea to protect the file with access rights or forbidding it in the .htaccess file. This will prevent people from opening it in their browsers.
Read more on .gitignore
Read more on .htaccess

Database

In a case where your project runs with a database, and your source code has access to it. You can create a configuration table where a configuration key name is associated with a value. This way when changing your api key and api secret you will have to update the records in the database without touching the source.

Double check

Always when you change your api key or api secret, verify them against the specific api endpoint: In this example, we have used the demo api key and secret pair. If you login in, you will see all examples with your own api key and api secret You can copy this example code by clicking the file_copy button.

GET: