I’m currently utilizing Plasmic Auth for user authentication, but I’m facing a challenge in sending authenticated HTTP requests to my backend API.
Initially, my approach involved sending a request with currentUser -> email, but I’m concerned about its security since my backend server lacks the capability to validate whether the email truly belongs to the user.
To solve this, I would like to implement a JWT between my backend server and Plasmic. However, I’m uncertain whether this requires utilizing a custom authentication or if it’s achievable with Plasmic Auth.
Any insights or guidance on this matter would be greatly appreciated. Thank you!
Great question. The TLDR answer is to pass a secret token to your HTTP API as a hardcoded value, such as in the headers.
This works because integrations are routed through Plasmic servers first. Hardcoded values are stored on Plasmic servers and sent to your HTTP API. They will never be exposed on the client. Please check out this page for a more detailed explanation of how security works for backend integrations.
Thank you for your response! Just to clarify, if I’m understanding correctly, all integration requests are proxied by Plasmic. So, when integrating with the HTTP API, the request to my backend will be handled by Plasmic and not by the client. Is that correct?
If so, I’m curious about any limiting factors regarding the number of API requests allowed. While I noticed a reference to “monthly page views” in the pricing plans, there’s no mention of nº integration requests.
Could you provide some insight on this?
Hi @nuno_lopes, we don’t currently have a limit on integration requests, but we may introduce one in the future. Unfortunately I can’t share more than that.
New to plasmic myself and found your answer here. Are you saying that plasmic only supports a single hardcoded token to an http api integration? (in this case my own api)
My api is set such that you need to dynamically get a new auth token that eventually expires in order to make requests. Does plasmic not support this or am I missing something?
If we were to hardcode a token it would expire which isn’t useful in our case
Suppose we have different tokens for different apis , in that case what do you suggest we do ? Make the plasmic host application’s global context contain all those tokens ? So that we can use this global context in studio to call various apis with its respective token ?
Yes that is possible. However, take care that you are not storing secrets that should be kept on the server in the context, since it will be available on the user’s browser. If you are making API calls to other services with a secret token, you should create your own backend server to keep the secret token safe.