Securing Keys

Last week we switched over to a key based authentication system. It helps us efficiently measure who is hitting the service, and it’s simple for developers to incorporate into their apps. Perhaps it is too simple. There is a concern that others can take a key and start using it on their sites. While we do offer oAuth for developers to truly protect their credentials, we want to make it easy for anyone to lock down their key.

We have had the ability to restrict keys by referrer internally for a little while now, but wanted to make sure it was solid before releasing it to the world. Today you will be able to restrict key usage to only the domains that you specify.

Manage Referrers

To get started log into your Embedly dashboard. You will see a new box named ‘Manage your Referrers’. This is a list of all the sites that you allow access to.


When you click ‘Manage’ you will be taken to the Client Referrers page where you can edit and add new referrers. We use a simple wildcard syntax for adding domains much like how oEmbed declares schemas. For example, if you want to allow all traffic from localhost:8000 you would enter localhost:8000*. If you wanted to allow only traffic from subdomains of it would look like **. Take special note of the wildcard at the end. That is required if you want us to match any and all paths for a domain. Otherwise we will only allow traffic from the specified URL.


We also built a simple way for users to test their patterns from within the Client Referrers page. Just input a URL from your site and we will let you know if it matches or not.


We are continuously trying to improve our service based on your feedback. Keep it coming. Next on the list is adding support for matching User Agents. Expect that in the next few weeks.

Posted 3 years ago by embedly-team
Embed This