Is the API key considered secret? Is the token?

The API key is not considered secret. It's used, among other things, in front-end behavioral tracking requests sent by browsers, and is therefore visible in network calls from the browser.

The API token, however, is considered secret, and should only ever be sent via SSL to Constructor's API from back-end, secure servers. The API token should be treated like a password and carefully protected. On Constructor's side, the token is not stored in plain text, but as a one-way hash. Because of this, the token value cannot be viewed or retrieved by Constructor.

For more information please reference the article Getting Started with the Constructor API.

Related articles

Deliver better results from search

Request a demo of Constructor's rich category experience

Search
Powered by Zendesk