overhide.io blog
Ledger-Based Authorizations — gratis and "in-app-purchase" (IAP) based authorizations in dollars and cryptos
— a free and open-sourced (mostly) ecosystem of widgets, a front-end library, and back-end services
— make the fusion of "logins" and "in-app-purchases" (IAP) as banal and unliable as possible.
21 Mar 2021
by Jakub Ner

Access Tokens

Up until now the overhide APIs did not require authorization tokens, they were merely protected (from abuse) via throttling.

This was in the spirit of putting up as few barriers as possible to Ledger Based Authorizations.

Going forward; however, to reign in potential abuses of the APIs, all of the APIs will now be accessed by authorizing with a token: an HTTP authorization header of the form:

Authorization: Bearer <token>

The ledgers.js library — that abstracts the APIs for in-browser “login” use — will also support provision of a token.

Getting Tokens

It’s a very simple process to get tokens. A process that continues to remain anonymous and hassle free.

Simply register for a developer API key at https://token.overhide.io/register. “Register” is a strong word here. You don’t provide any information other than wait for a reCAPTCHA (I guess you do provide some usage information to Google).

The obtained API key is meant to sit in your application’s secure back-end and be used to issue tokens to your users.


When obtaining an API key, ensure to obtain one for the right overhide environment.


Your back-end should use your API key to retrieve tokens via GET /token (see token APIs) upon request.

The token should be used with your back-end calls to the renumeration APIs as a Authorization header with the Bearer <token> value.

The token should be forwarded to your front-end UX for use in ledgers.js.

The token should be used with your front-end UX components by enabling the oh$ ledgers.js global instance with oh$.enable(token) (see the library for details and examples).

The token expires and should be refreshed every so often (hours).

Blacklisting

If your API key gets compromised and used by hackers (or if your code accidentally attempts to DOS our services), it will get blacklisted.

Your back-end will fail to retrieve tokens.

If this happens, you will need to re-generate API keys — and keep them safer.

You can reach out on reddit.

We will not tell you when your API key is revoked: we don’t collect your contact information.

Timeline

Use of tokens is not yet mandatory. API’s continue to be accessible without an Authorization header and all previous versions of the ledgers.js library continue to function.

Eventually we will enforce the use of tokens with the APIs. When that happens only versions of ledgers.js 4.0.0 and higher will be supported.

All new work should ensure tokens are provided.