Security in Web API

Customer's Canvas supports two security models that are based on either user tokens or security keys.

The first model assumes client-server communications and requires you to create authorization tokens for a single user to use the Web API for the private image gallery, for example. After that, you should send this token along with the userId to protect the request.

Another model supposes that requests are sent to the Web API from only the backend and requires you to send a secret key in the request header. When you use such Web API controllers as FontPreview or ProductTemplates, your HTTPS requests must include the X-CustomersCanvasAPIKey: "UniqueSecurityKey" field in its header. "UniqueSecurityKey" is an arbitrary string, but it must be a unique value, which you define in the Web.config file.

        <add key="ApiSecurityKey" value="UniqueSecurityKey" />

Note, all snippets in this section define this security key in JavaScript code. It could be highly insecure if they are run on a public site. However, you can use them this way in your admin panel, or just for demonstration purposes.

For real applications, there should be a back-end code that, like a proxy, sends requests to the controllers. So, your code decides whether a user has enough rights to manipulate templates/fonts/images or not, and if the user has enough rights, the code sends the request to the corresponding controller.

In This Section

Design and Mockup Files
User Images
Custom Fonts
Personalized Rendering
Authentication with Tokens
Private Image Gallery