API keys are the primary way that you authorize your application when you're using Yuzu's APIs.
Sign up for a Yuzu account to create your own API key.
API keys in Yuzu are designed to be publishable. In other words, they are not secrets. That means that you can safely use them in browser or mobile frontend apps or check them into your VCS.
The primary way your API keys are protected from potential abuse by bad actors is through attaching one or more allowed origins to your API keys. When you add an allowed origin to an API key, that means it can only be used on websites with the domain you specify. Here's an example from the dashboard:
For this API token, we've added localhost
and yuzu.dev
as allowed origins. This means that the API will reject any request that does not originate from localhost
or yuzu.dev
.
When you add origins, you do not need to include the scheme or the port in the declaration. Yuzu will ensure that the host section of the URL matches one of these allowed origins.
Allowed Origins do not include subdomains
If you want to use your API key on multiple subdomains that you own, you must allow each one separately.
You can specify that one or more of your API tokens can be used without an origin header present in the request. This allows you to use the key from non-browser contexts, like your server-side app, or a command-line tool.
Allowing an API token to be used with an empty origin removes a layer of protection from the API key, and should only be used in contexts where you believe the API key is at low risk of exposure.
You can create as many API keys as you like, and delete them at any time. However, any time you delete an API key, it will immediately stop working on any clients where it's used.
The Origin
header is a forbidden header that's sent with every request made from a browser.
For example, if you're on https://finance.yuzu.dev/AAPL
, and some javascript on the page makes an HTTP POST
request to graph.yuzu.dev
, these are some of the request headers that the server will see:
Header Name | Header Value |
---|---|
Origin |
https://finance.yuzu.dev |
Accept |
*/* |
Content-Type |
application/json |
User-Agent |
Mozilla/5.0 (Macintosh; Intel Mac OS X) ... |
The browser will include the origin's scheme, host, and port in the origin header, but will not include the path. For example:
In the origin https://finance.yuzu.dev:443/AAPL?sort=asc#anchor-tag
, these would be the parts of the URL that would be included in the origin header.
Component | Value | Included in Origin header |
---|---|---|
Scheme | https |
✅ |
Host | finance.yuzu.dev |
✅ |
Port | 443 |
✅ |
Path | /AAPL |
🚫 |
Query | ?sort=asc |
🚫 |
Fragment | #anchor-tag |
🚫 |
To read more about the Origin header, head over to the MDN docs.