Using Api Via Ajax - How To Prevent Exposing Api Key?


I'm considering significantly simplifying product add/update pages for vendors by creating a frontend that would have only what's required and would do multiple operations in one go based on a single form fill (vs vendor having to do things in multiple steps, like adding option, modifiers, turning 'tracking with options' etc).

However it would require storing API key on the frontend side which could be risky, as it would allow Vendors to get API key registered to Admin user. Is there any way to add cookie based authentication for API that would facilitate running its methods in the context of the currently logged in user?


Why would a vendor be adding products from the frontend? All vendor adminstrator actions are done from the backend other than the initial "apply to be a vendor" page.

Vendor administrators already have an API key available for their use.

Yes, I'm talking about the backend area - I'm using the term frontend in the sense of JS mini app (within the backend area) talking to the Rest API. I thought that API key is only available to full admins. In such case I could generate the JS on the PHP side passing given user's API key, right? That would be great, thanks!

How can I get the user's API key programatically?

How can I get the user's API key programatically?

Read it from the cscart_users table.

Right, thanks!