Client-side applications
The access token you get from your account page allow you to makes queries on the Trefle API, but your token needs to be kept secret, so you can't make queries from the browser as the user on your website will see the access token, and could use it for their personal needs. Additionally this is not a good practice in developing software.
If you need to perform client-side requests you will have to request a client-side token from your own backend and get a JWT token in return. This token will be usable on the client side. This call needs your secret access token and the url of the website that the client side requests will come from.
Because this is a POST request it can't be done directly from the browser.
- CURL
- NodeJS
In your terminal:
curl -X POST 'https://trefle.io/api/auth/claim?token=YOUR_TREFLE_TOKEN&origin=YOUR-WEBSITE-URL&ip=12.34.56.78"'
const fetch = require('node-fetch');
// The parameters for our POST request
const params = {
origin: 'YOUR-WEBSITE-URL',
ip: 'THE-WEBSITE-USER-IP',
token: 'YOUR_TREFLE_TOKEN'
}
(async () => {
const response = await fetch(
'https://trefle.io/api/auth/claim', {
method: 'post',
body: JSON.stringify(params),
headers: { 'Content-Type': 'application/json' }
});
const json = await response.json();
console.log(json);
})();
And we get:
{
"token": "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxMDYsIm9yaWdpbiI6IllPVVItV0VCU0lURS1VUkwiLCJpcCI6IlRIRS1XRUJTSVRFLVVTRVItSVAiLCJleHAiOjE1OTQ2NDIxNDh9.Vd2d3UK7zdNWZLBOn8y50NcUKuF8xFZgh6p7EB4fhVw",
"expiration": "07-13-2020 14:09"
}
You can then use this token directly from the browser. It can't be used from another origin, will expire and only works for your website.
Putting the user remote IP in the claim API call is optional, but it provides an additional security layer. We don't keep or store this information.