How to make API securely from Freshworks app if api key has to be passed in query parameter?

Hello Legends
We have an API call that doesn´t use Headers for authentication…yup.
So they are fine with us having the api key in the query(did send them a mail with the apiKey visible in the network tab)…hence iparams.json is not applicable for us.

Any idea how to solve this with more security?

We are looking to post this app to the Freshworks Marketplace, but am worried that this might be a showstopper.

IDK why we missed this post; my apologies @Ansfs91. If you haven’t solved it already, here is a quick rundown on how you can implement this:

Continue using iParams, but mark the field as non-secure, e.g., create an iparam named api_key that’s not marked "secure": true.

Platform v2.2:

Pass the iparam as a template substitution string in the URL, like:

const url = "https://<%= iparam.domain %>?apiKey=<%= iparam.api_key %>";
await, { body });

Platform v2.3:


  "iparamInQuery": {
    "schema": {
      "method": "POST",
      "host": "<%= iparam.domain %>",
      "query": {
        "apiKey": "<%= iparam.apiKey %>"

Frontend code:

await client.request.invokeTemplate("iparamInQuery", { body });

Either way, you will not reveal the iparam’s value to the end user.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.