Risks of using the Admin Rest API PUBLICLY

Solved
Excursionist
28 3 4

TL;DR : Using the REST Admin API as the Storefront API because implementing GraphQL, is a too expensive option.

 

I was wondering what harm may bring to my shop if I use the admin Product REST API in my javascript.

Should I set an app with API permissions to only Product Information and READ ONLY, and then use it for some ajax calls in JS what are the risks?

 

Even if a user knows the api credentials this would only give them access to READ-ONLY the PRODUCTS and nothing more(?) that is what normally happens, given that every user can see you product data from your website.

 

Also this is the Storefront API's concept.

 

Whats your thoughts?

 

 

0 Likes
Shopify Partner
1054 116 170

Most of the stores are exposing data about the products  at <store name>/products/<product handle>.json, so if it's only products are of your concern, and the subset of fields this endpoint is offering is enough, you might not need any tokens.

Sergiu Svinarciuc | CTO @ visely.io
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
- To learn more about the awesome stuff we do head over to visely.io or our blog
0 Likes
Excursionist
28 3 4

Thanks@Visely-Team

That is what I needed for my client

I found out that one can append both .json and .js (from the AJAX API)

And that they return slightly different JSON objects.

Do you know if there is any difference in terms of performance?

0 Likes
Shopify Partner
1054 116 170

I can tell you much about the performance, though I would assume it's comparable if not even faster then the REST API as it might get some more client side and server side micro-caching.

Sergiu Svinarciuc | CTO @ visely.io
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
- To learn more about the awesome stuff we do head over to visely.io or our blog
0 Likes
Shopify Expert
9778 86 1526

@Giulio1 wrote:

TL;DR : Using the REST Admin API as the Storefront API because implementing GraphQL, is a too expensive option.

 

I was wondering what harm may bring to my shop if I use the admin Product REST API in my javascript.

Should I set an app with API permissions to only Product Information and READ ONLY, and then use it for some ajax calls in JS what are the risks?

 

Even if a user knows the api credentials this would only give them access to READ-ONLY the PRODUCTS and nothing more(?) that is what normally happens, given that every user can see you product data from your website.

 

Also this is the Storefront API's concept.

 

Whats your thoughts?

 

 


Oh no, please don't consider this. Let point on some obvious problems

  • It's just bad practice.
  • Even if you think "I will never accidentally switch on edit scope" it's not outside of being possible. To risk losing all your product data - or worse if you extend the scope to other objects - is too scary for my tastes. 
  • You'll expose more data than what is by default - for example - inventory information. 
  • You'll expose unpublished products
  • You'll expose metafields on the products
  • Shopify API has limits, exposing your key to the public will absolutely ensure that the limit will be not just hit, but exceeded. Shopify has a smart system, when you smash it with requests that create errors, exceed limits, etc - it will take action against it. A bad actor could also use that against you and intentionally hit that endpoint.
★ Winning Partner of the Build a Business competition. ★ http://freakdesign.com.au
0 Likes
Highlighted
Excursionist
28 3 4

Thanks @Jason ,

 

I think that I will have a go with the ajax api instead, which I completely ignored the existence before posting my question.

 

Do you have any advice about the product ajax api?

0 Likes

Success.

Shopify Expert
9778 86 1526

The AJAX API is there for you to use with your Online Storefront channel. Much less risk than trying to hijack that Admin API.

As long as you're following what's shown in here you should be good to go:
https://help.shopify.com/en/themes/development/getting-started/using-ajax-api

 

Was there a specific concern/question about it?

★ Winning Partner of the Build a Business competition. ★ http://freakdesign.com.au
1 Like