Hi, I am trying to fix my app to get prices for magic cards. Its desktop app. Not website, I don’t have any website at all. I receive public/private keys, but it seems like I cannot create a permanent app token to put in app, the bearer token only last 2 weeks so I cannot hardcod it in my app. I can hardcode keys to request a token for every person who will be using it, but it make no sense as my app is open source that means I will be exposing these keys in public source repo. I am missing something?
I store my key in a database table, along with a LastUpdated date field. In my code, if it’s been more than X days since LastUpdated, or if I get a connection error, then my code gets a new key and updates the database table.
But to get a new token I need private key in the application code, means it will be shipped with application to the user (and since its open source its in source code too)
Keep your keys in a configuration file that lives outside of your source control and reference those keys from your code. Most developer environments facilitate pulling in app settings/app secrets from an external file.
You still think its website.It not website! Its app. External file would be file inside the app! There is no external files unles it file on user computer
You can’t access a file in the app’s directory? There must be a way to have app settings in a config file for your app. For your desktop app. It’s a common feature. What’s your development environment?
I can create files on desktop. I can store it on file, in database, in memory - that is ot a problem. But I cannot create bearer token on desktop without private key, right?
So my app has to have private key hardcoded into itself, there is no server from where I can get it.
What’s your development environment?
You are basically correct. Either your users will need their own key pairs from TCGPlayer or you will need to setup a server to provide them info.
TCGPlayer is (entirely reasonably) controlling the access and volume to their servers, so an open-source project like you’re describing will always face this problem. Hardcoding your keys for anyone to use will probably get them revoked very quickly.