Shared secret with API in an Ajax Adobe AIR app

I'm pretty new to developing AIR apps, so maybe this is a dumb question, but I can't seem to find any answers from google. Any help you can give me is greatly appreciated.

I'm building an AIR app with Ajax using an api that is identical to flickr's Api, with a shared secret key. The problem is that the air installation package contains all the source and I don't want to give away my shared secret. Is there any way to do this? Can I hide some source, or somehow include this shared secret within the app without giving it away?

Thanks for your help.



You may want to use EncryptedLocalStore to securely store you API key.

But, you won't be able to distribute it with the application as the store's encryption depends of which OS the application is running on.

A method to seed the store would be, on app's install:

  1. Run installer
  2. Run post-installation scripts as needed.
  3. Check the store. If no key is present, download the key from your website and store it in the ELS.

Using this method, the user will never know your key but it will be present in app's store.


First question - does the license allow you write an app and give it to someone else to use with your key, rather than having their own key?

If so, and if this is an AIR-compatible SDK, they should have some method they recommend.


This question describes how flickr provides access to extra resources with a key. If this is an AIR app, are you jumping through the sandbox hoops to provide a simultaneous internet and desktop app?


I would either store the key on the server and retrieve it using SSL (https://) and the class or store it in the encrypted SQLite database. Obviously the database creates a lot more overhead if you aren't already using it, so I'd go with the first option if you're not going to use the SQLite database now or in the future.


You can use the EncryptedLocalStore like Pierre-Yves Gillier mentioned. There is a method to detect if the application is run from the first time. But I'd go for this method:

Check if the Encryptedlocalstore has the api key and if not grab it from server amd store it.


Recent Questions

Top Questions

Home Tags Terms of Service Privacy Policy DMCA Contact Us

©2020 All rights reserved.