New to the platform, checking out its' features and integrations. So far the experience has been great.
For client site implementations (React, Vue, etc.) is there any level of security for interfacing directly with your repository api besides using the access token (for private repositories)?
Typically this is done with CORS server settings that restrict or permit access to domains. Even if a repository is private the access token is right there on the client.
Hello @k4nderson, welcome to the Community forum!
That is correct, the Prismic content that is distributed through the API that can be configured as private. In private mode, the API requires the client application to authenticate itself to query, retrieve and display any content stored in a Prismic repository. Each data-consuming client application may use a distinct set of authentication credentials, by using an access token. Lean more about our Security & Compliance Features page.
Any additional security implementations built on top of the Prismic API will have to be configured externally.
I'd like to get more info in terms of security.
My repo is now private and all the queries are done server-side. Now we are working on implementing pagination on the client side and we were wondering what are the implications of having a public API.
Thanks
Hey @levijesica, If what worries you is that your repo content will be public, you must be aware that this is true. The content that you publish in a public repo will be available for anyone to see, meaning that, hypothetically someone that is not part of your team could hit the endpoint and query the data of your API without restrictions. However this doesn't imply that is a security risk because, even if you have the endpoint you'll not be able to modify anything without access to the repository, with the owner's permission.