Is there a way to prevent attackers from abusing the track and identity API?
Since the API only requires public key couldn’t an attacker inject bad data into the backend?
https://developers.klaviyo.com/en/reference/track-identify-overview
Solved
How to protect Track & Identity API
+2Best answer by alex.hong
Hey there for those wondering a similar thing,
At the moment, there are not additional security measures put in place on our end that could require the track API to use a different form of authorization. You can do things to protect your public API key by using script managers such as Google Tag Manager to inject our javascript onto your site.
While we are looking into alternative methods of API authentication for APIs designed to be used client-side that would prevent this from happening, historically we have had very little issue with this scheme, likely due to the fact that attackers are usually monetary-driven, and sending data into a Klaviyo account doesn't necessarily provide them with monetary value. But we still certainly understand the concern and inconvenience of this. It is absolutely something we are looking into.
Klaviyo is not unique in its use of public account tokens in client-side JS APIs. SaaS companies that provide client-side tracking APIs. Even products Klaviyo uses itself, such as HubSpot and Heap Analytics, follow this practice. Tracking client-side events fundamentally entails exposing APIs that are publicly callable, and while there is a marginal risk that these calls are intercepted, we have made sure to separate our client-side APIs from our server-side APIs in order to ensure that there is no incentive for an attacker to exploit this.
+58Hi
Welcome to the Community.
Great question. I mean that would depend on which part of the API you are using. There are instances where the private API key is required and the public key should be found within your Klaviyo login. Unless you are sharing your account information or leaking login details, I’m unsure what requests could be made using a public key.
Care to elaborate?
Alex
+2alex.hong wrote:
Hi
Welcome to the Community.
Great question. I mean that would depend on which part of the API you are using. There are instances where the private API key is required and the public key should be found within your Klaviyo login. Unless you are sharing your account information or leaking login details, I’m unsure what requests could be made using a public key.
Care to elaborate?
Alex
I want to secure specifically the track API (https://developers.klaviyo.com/en/reference/track-post) it does not seem to have a private key
+58Hey there for those wondering a similar thing,
At the moment, there are not additional security measures put in place on our end that could require the track API to use a different form of authorization. You can do things to protect your public API key by using script managers such as Google Tag Manager to inject our javascript onto your site.
While we are looking into alternative methods of API authentication for APIs designed to be used client-side that would prevent this from happening, historically we have had very little issue with this scheme, likely due to the fact that attackers are usually monetary-driven, and sending data into a Klaviyo account doesn't necessarily provide them with monetary value. But we still certainly understand the concern and inconvenience of this. It is absolutely something we are looking into.
Klaviyo is not unique in its use of public account tokens in client-side JS APIs. SaaS companies that provide client-side tracking APIs. Even products Klaviyo uses itself, such as HubSpot and Heap Analytics, follow this practice. Tracking client-side events fundamentally entails exposing APIs that are publicly callable, and while there is a marginal risk that these calls are intercepted, we have made sure to separate our client-side APIs from our server-side APIs in order to ensure that there is no incentive for an attacker to exploit this.
Reply
Rich Text Editor, editor1
Editor toolbars
Press ALT 0 for help
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.