I have registered for a public 90-day free trial on HereMaps few days ago and I can't get a valid response for a public transit api. Routing works properly but that API doesn't. I call example request from documentation with my valid credentials:
https://transit.cit.api.here.com/v3/route.json
?app_id={APP_ID}
&app_code={APP_CODE}
&routing=all
&dep=41.9773,-87.9019
&arr=41.8961,-87.6552
&time=2017-12-11T07%3A30%3A00
after calling it, I receive that response:
{
"Res": {
"serviceUrl": "https://transit.cit.api.here.com/transit/v3/route.json",
"Message": {
"code": "I4",
"level": "E",
"text": "These credentials do not authorize access. Please contact your customer representative or submit a request here https://developer.here.com/contact-us to upgrade your account. You can also get valid credentials by registering for a free trial license on https://developer.here.com."
}
}
}
Any idea, what I'm doing wrong? I thought, that It might be due non-updated database on server-side, bud this seems to not be the problem. Thanks for your time.
Please find the reason and explanation below:
https://developer.here.com/faqs#general
How do I evaluate the HERE Platform?
HERE offers a free trial of its web APIs and Mobile SDKs. To register for a free trial, please signup.
Please note that to access the following features we need to whitelist your evaluation app_id. Please contact us to request access to:
Batch Geocoding: allows the user to upload multiple addresses in a single file for geocoding.
Transit API Advanced Offering: access to advanced features of our Transit API, from early and late departures to real-time next departures and transit isoline.
Weather API: enrich mapping applications with weather-related data such as weather forecasts, severe weather alerts and astronomical information.
Fleet Connectivity Extension: RESTful web service that enables connectivity between a backend system and a navigation application.
Custom Route Extension: Build custom routes considering your own road restrictions and geometries.
Intermodal Routing: Provides alternative routes combining drive, park, ride and walk functionality, while taking into account real-time traffic and incidents information, public transit timetables and dynamic information.
I hope this helps!
Regards,
Alberto
Related
Context: We are hosting an online shop that needs to track customer behaviour. To achieve this tracking we have integrated several tracking events based on the customer journey in our shop. Based on the GDPR requirements in Europe we are forced to send the tracking events to infrastructure that is controlled by us as a company. Sending data via the Google Analytics Tag Manager directly to Google Servers is forbidden by the GDPR law. Sidenote: To simplify this question, I intentionally leave out all stuff regards user consent management.
Problem statement: We have the need that each client sends every tracking event directly from the browser to a Pub/Sub endpoint. Now, my question is how a best practise for a proper security would look like.
Current proposal: The Pub/Sub endpoint doesn't require an authentication --> AllUsers have been granted Pub/Sub Publisher permission. In addition I've created an API-KEY that is restricted to
the Pub/Sub API only
to specific HTTP referrers (basically the domain our webshop operates)
Are there other strategies that could be applied? Is the current proposal a valid (aka secure) way to go?
Giving pub/sub publisher access to allUsers are not recommended. Create service account and give publisher access to that and send messages using that service account.
Background
Given a symbol (i.e. cashtag), I need to retrieve twits from 2015 up to 2019 in order to perform sentiment analysis for a research project.
Problem
The public API is limited to the last 30 messages, as explained in https://api.stocktwits.com/developers/docs/api#streams-symbols-docs.
https://api.stocktwits.com/api/2/streams/symbol/NVDA.json
I tried the same request in an authenticated manner, but I face the same limitation.
https://api.stocktwits.com/api/2/streams/symbol/NVDA.json?access_token=<access_token>
Question
Is there a way to work around the limitation ?
Yes, there is. You should contact their support team, to get Partner level access to download historical data.
"There are some endpoints and data that are not available in the public Stocktwits API, including the full firehose data stream of our content. You may also have an application that requires higher usage limits (rate, message or other limits) than the public API. These additional capabilities are highlighted in the API documentation. If your application requires access to these capabilities, please contact our team to discuss."
https://api.stocktwits.com/developers/contact
I build an ionic app using version 1 some year ago, the app is public no authentication is required.
How can i enable api consume only from the android smartphone ?
If someone decompile the apk they can see the api and consume data from the api
How can i prevent this ?
At the end of the day, there isn't much you can do to completely prevent someone from accessing or scraping data via your public API.
However, here are some ideas that can help mitigate it:
API Key
Store an API Key in your app, and validate the key on the server side before processing the request. This suggestion isn't too helpful if they decompile your app, but at least it's a start in preventing the API from being exposed by just using the app (especially if you make all your HTTP requests over SSL).
IP Address Logging
Setup some code within your mobile app that logs the IP address of the user. Then, when a call is made to your public API - it compares the IP address from the request with the list of IP addresses that have been logged from the mobile app. You can even use timestamps to limit the time frame in which the API will be accessible.
Rate Limits/Usage Quotas
You can put some general rate-limits on your API. Only allow a certain number of requests within a specified time frame from any given IP address, user, device ID, etc.
Hope this helps. I would love to hear more thoughts from other people in the community as well!
I've trained an image classification model using autoML API and now I would like to create a JAVA program that makes predictions of given images using that model. As mentioned in the docs, this API requires the OAuth scope: https://www.googleapis.com/auth/cloud-platform.
I don't need the user to login since I will not use any private data, so I decided to use service accounts and followed the steps in OAuth2 for service accounts to generate an access token.
The process goes well and I receive the reponse:
{"access_token": "access_token_string", "expires_in": 3600, "token_type": "Bearer"}
Then, I go back to send the post request for autoML prediction, and set the header "Authorization" to "Bearer access_token_string".
I have the error message
{"error":
{
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I know that the prediction request is correct because I've tried it using an accessToken generated for web apps (just wanted to test).
So the problem is in the authorization part, I've checked that my service account have all the required permissions as well. I d'ont know where the problem is exactly, does anyone have an idea?
So since there are no answers, I contacted the Google Support Service, they told me that the below requests are correct, the problem is in allowing the service account to access my GCP project resources. This step is explained here
I've already went through this step but I should have missed something the first time, so I deleted the service account and restarted all the steps, it's working now!
I hope this will help someone :)
I work for an ecommerce site and we are looking to expose much of our core functionality via a set of APIs. We plan on re-writing some of our own public facing applications (e.g. the main shop website and our mobile app) to call these new APIs also. We also want to offer some of these APIs out to third-parties who want to integrate with us.
My first question is - what is a suitable authentication method for these APIs? Everything I read is about OAuth, but am I right in saying that this doesn't fit in this case as we're not looking to use another log in system (e.g. Facebook, Google) but rather restrict access to our own API (so maybe an API key or JWT solution would be better?)
Secondly, our current website has it's own user accounts system. How do you offer /user endpoints (like GET user/1235/paymentmethods) in an API like this? Surely the actual user (website customer) needs to authenticate somehow in order for the given API consumer to access their data.
I've spent the last 2 days reading about this but I'm at a loss as to how to go about this! Any help much appreciated.