Question

Best way to secure the Laserfiche API access token?

Laserfiche Laserfiche API Security

Updated August 30, 2023

asked on August 29, 2023

I have a Laserfiche Form that is using JavaScript to make calls to the Laserfiche API. What is the best way to secure the access token so that the public cannot make calls with it? Is there a way to restrict it so that only certain IP addresses can call the API for instance?

0 0

Replies

replied on August 29, 2023

Hi,

Unfortunately, we don't have a way to restrict certain IP addresses to make the API call.

As for secure the access token, some good practices are

- use PKCE for public app (using SPA flow https://developer.laserfiche.com/guides/guide_oauth-spa.html)

- have short lived and scoped access token

- store access token in secure place on browser/client side or even have a dedicated backend for it

- transmit access token in secure channels

1 0

replied on August 30, 2023

If this question is about the self-hosted Laserfiche API Server rather than Laserfiche Cloud, there are options. Either use a standard network firewall or the IIS IP Address and Domain Restrictions feature.

1 0

replied on August 30, 2023 • Show version history

An additional security measure is to create an Access Token with granular scope(s) to limit what document(s) it can R/W. See https://developer.laserfiche.com/guides/guide_oauth_2.0_scopes.html

1 0

You are not allowed to follow up in this post.

Question

Question

Best way to secure the Laserfiche API access token?

Replies

Sign in to reply to this post.