2

I am using the Survey Monkey api to get the url's of surveys I have created which allows me to display surveys from within my application. To do this I have to send my key and authorization with the request.

What concerns me is that Survey Monkey has an api 'create_flow' that allows surveys to be created. Using fiddler I can see my requests including the key and authorization token. As far as I can see, this means that anyone could use this information to access the api and create a new survey on my account, which I do not want.

Is there any way to stop someone from creating new surveys using the API and the auth token? I'm not really bothered about people getting access to the survey details or Uri's as all they can do is post junk survey results that only I will see, but I absolutely don't want anyone else to be able to create a survey that will be presented to all my users with potential malicious text.

Graham
  • 23
  • 2

1 Answers1

2

It is not possible to make an account read-only.

So if I'm understanding correctly, you're shipping an application which contains your api_key and access token?

This is very much not recommended - the access token is equivalent to your account password, it gives full access to your account.

If you want a way to dynamically list your surveys, the best way to do it is create a proxy web app / API you host yourself. When someone hits that address, it uses the access token / api key you've stored on your box and grabs the list of surveys and then returns it to your app. This is the only safe way to do this.

Miles Cederman-Haysom
  • 1,099
  • 6
  • 7