Why does Ecobee only issue a single API Key?

OAuth2 is based on consumerKey/secretKey. You don't supply these when registering an app. Instead, you ONLY supply an API Key. When using tools built upon standard OAuth2 (like Spring Social) this makes it quite limiting.
1 person has
this question
+1
Reply
  • MarkK (API Architect) March 19, 2015 14:14
    The secret key is optional in the OAuth 2.0 spec. Whether it is consumerKey/secretKey or just consumerKey, all keys must be presented to make a valid request. Regardless of the implementation, you must still keep your own keys secret. The secret added nothing beneficial over just the applicationKey alone, since you always need both and the security of both is likely to be the same.

    If your app is public, you should encrypt and secure the key inside whatever secure store is available on the platform. Both iOS and Android provide a local secure native store where this key can be stashed, along with the user's tokens.

    If your application is open source, part of you app's configuration should be supplying the applicationKey by the user. That is a small requirement considering that you are already asking someone to build and run your app in the first place.

    Why do you want to do this?

    The applicationKey represents you, as the owner of the app and the applicationKey is your signature. As such, you are responsible for misdeeds made using said key. If ecobee detects that an app -- any app -- abuses the ecobee API, we will ban it, and possibly ban the developer account who owns the key if the problem is chronic. If that key is associated with your account, but is not your app, well, you're still responsible.

    I'm not familiar with Spring Social, but if it requires a secretKey, just send us an empty string, or any junk. The ecobee API will ignore it because we do not use it.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited sad, anxious, confused, frustrated

  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited sad, anxious, confused, frustrated