How to secure ION account

When we use ION account token for a website, someone else can see that token from client side and use it for their purpose.

This may cause topping up the limit for transfer rates or sessions.

Is there a precaution for this? Like domain restriction ?


Domain restrictions are something we’ve thought about, but have not investigated thoroughly yet. I’m dubious of their usefulness because it is easy for a bad actor to spoof the origin header and therefore completely negate the restriction. I wrote up an issue in the ion-community repository so that we document best practices and investigate domain restrictions in the future:

As far as I know, the industry standard for dealing with “public” access tokens is token rotation. Basically you create a new token and revoke the old one on some set schedule so that even if someone does steal it; it becomes useless. Once a month is a good starting point for such practices. In the future, we plan on having a documented REST API to manage tokens which would allow you to automate this as part of your deployment process.

Thanks for trying ion,