Frontend

Let’s say you’re making a react sdk that allows the installers users to send events to the sdk platform, where the installer can then view them. 

We can give the installer a publishable key to determine which events belong to them, but since this key is client side, couldn’t anyone spoof the key? 

Advice appreciated!

You could have the installer specify allowed domains and only track events that come from that domain.

Staff Eng at Iron Fish 🐟 • Building BlockSocks 🧦 • Denver, CO 📍

couldn’t you set up a proxy server to spoof the referer?

cool makes sense. just trying to get an understanding of what an acceptable mvp looks like for this sort of thing

Yeah but you can guard some of that stuff on your server. If your users API keys must live on the client, the options are limited afaik.

Whitelisting domains is how some RPC providers and analytics clients do it though.