Keeping the API token secure on a shared hosting website. Using PHP

KMallette

I have a website on shared hosting. I know that I should keep api tokens out of public_html folders on said website. I would like to use a <domain>/config/config.php file to hold those api tokens for Smartsheets. This approach is working for another application that I integrate with from this website.

However, when I put the api token for Smartsheet into this config.php file, and leave the sheet_ID and name in the files that call the api, it always fails. Debugging shows that it just can't find the api_token.

I have added CORS statements that allow origins from all subdomains of the website. These identical CORS statements work correctly with the other application that I integrate with from this website.

If I add the api_token into the php file (which is in a public_html folder) that calls the api, then everything works.

Why can't I put the api_token in a secure location?

I apologize if my question is not clearly stated. Please ask for clarifying information. Can share code if necessary.

James Harris

A Smartsheet API token is just a string, so there should be no reason why you can't pull it in from a secure location on your server.

The first thing I would check is whether config.php is being correctly called, and has the correct permissions to be read at runtime. Are you including config.php into another PHP file that is using the token? If so, ensure that the path is correct. Adding a line of debug into config.php to check that it is being called successfully at runtime should help with this.

If you're calling config.php from Javascript using an ajax call, then that won't work, as you can only call web-accessible PHP files from Javascript.

Finally, what error message is Smartsheet giving you when you make a call using the token?

Thanks,

James