Forum Discussion

luke_dc's avatar
luke_dc
Member
2 months ago

MYOB API Keys with OAUTH 2.0

Hi, I am developing a desktop app for Windows which connects via OAUTH to MYOB Cloud instances. 

 

It authenticates the user via the OAUTH MYOB login page and keeps the access token in memory while the user is using the app.

 

My question is, what about the API keys themselves, can anyone refer me to the requirements for storage of the API Key and secret? These are the keys I have been issued as a developer. 

 

Obviously I don't want anyone to access these, even if they could not access any user data with them. Currently they're stored in code, but I want to know the correct way to store them.

 

Just to repeat, this is a desktop application which accesses cloud MYOB data. I intend to distribute this app via Microsoft Store.

 

ChatGPT recommends that I use OAUTH PKCE for this, but I can't find any documentation or posts here about that.

 

Is there any documentation for keeping the API keys secure for a desktop application? If necessary I can store them on my license key server and issue them to the desktop app on request, storing them only in memory. Would this be considered secure enough?

 

Thank you for any responses.

4 Replies

  • Isaiah_C's avatar
    Isaiah_C
    MYOB Moderator
    2 months ago

    Hi luke_dc,

     

    Hopefully another developer in the community can get you a response soon, otherwise feel free to reach out to the support team via developer.myob.com.

     

    Regards,

    Sai 

  • luke_dc's avatar
    luke_dc
    Member
    2 months ago

    Thanks Sai, I've submitted a request to the API support team.

  • The_Doc's avatar
    The_Doc
    Ultimate Cover User
    2 months ago

    Hi luke_dc​ 

    I would be very careful about using any advise from ChatGPT - it is banned in our business. However,  OAUTH PKCE = Proof key for code exchange isn't available in MYOB API but is available in XERO API and is a means to get around this problem.

     

    However, to solve your problem - yes, handing out your secret in plain text or a token that has a long life is handing keys to the kingdom in your app.

     

    The bottom line is you need to encrypt these, somehow and there are a lot of articles on how to do this - but do not embed your secret into your source code - that is bad ju ju development - you need to encrypt and store it in a secret location on the user's computer - in registry or in a hidden location - so that if your app is stolen the key doesn't go with it.

     

    And yes, there are ways of doing this without compromising your secret key and tokens - but the bottom line is do not store in plain text. 

     

    And finally- obfuscate your source code - there are utilities to do this on the internet.

     

    The Doc.

     

     

Looking for something else?

Search the Community Forum for answers or find your topic and get the conversation started!

Community home

Dig into MYOB Academy for free courses, learning paths and live events to help build your business with MYOB.

 

Related content