ThingSpeak


Is it possible for the user to select the value for a channel's Write API key?

Fox Devices on 3 Mar 2024
Latest activity Edit by Fox Devices on 6 Mar 2024

I've read thru the API refernce doc and the information in the right-hand side panel on "API Keys" tab and so I 'm pretty sure the answer is "no" but throught it was worth double-checking.
My application for this is that I have several devices, each with their own channel. For security, I'd like them to be able to deduce or calculate the write API key to their channel based on their device serial number (which each device knows) so that I don't have to store the API key in their firmware.
thanks...

4 Comments

Fox Devices
Fox Devices on 4 Mar 2024 (Edited on 6 Mar 2024)
They are Particle devices.
My user API key is not in the firmware. It's in an app (dev tool) used to configure the devices. The app creates the Thingspeak channel, scoops up the returned write and read keys, uses that info to generate a QR code sticker for my device box that conveniently points the user to their Thingspeak chart(s), and adds the devices' ThingSpeak channel and key info to a header file (.H) that's used by all of the devices' firmware.
Currently, all of the Thingspeak info that is in this header file is surrrounded by compile time logic (C pre-processor terms like #define, #if, etc.). This way, only the device's own ThingSpeak info goes into the compiled firmware, not all of the ThingSpeak info for all devices. But there is no mechanism for the developer to tell the Particle build system which device it is compiling for. So the developer must add a compile-time variable for the specific device before flashing the firmware onto the device. That's not scalable, has a human in the process, and results in the channel id and write API key in the firmware.
There are some Particle-side mechanisms which appear to be promising candidates for removing the API keys from the firmware. I'm just digging into them now, so I'm not clear on the details. Those mechanisms are:
  • Particle "Device Note" which allows the device to get to some web-based info using its device id as the key. There's an API for creating device notes which means my dev tool could do this. In addition to the goal of "no keys in the firmware", this would remove the human from this part of the process which is desirable to reduce errors.
  • Particle "Logic" which is beta right now: It allows the device to trigger some server-side javascript code which for this use case could be a table of ThingSpeak channel info that uses the device id as the key. The device would make this call once at boot time and keep the key in volatile memory. https://changelog.particle.io/uncategorized/particle-logic-beta-is-now-available/
  • Particle "Ledger" (also in beta) which is a companion feature of Particle Logic and allows the device to store and retrieve structured data in the cloud.
I need to read up on these to see which option is best.
It's not a huge issue for me to have ThingSpeak info in the firmware. It's certainly not a deal breaker. I'm just trying to start off on the right foot with respect to security best practices and one of those is to not have keys in the firmware. A few ways that the ThingSpeak API could support this best practice this are (1) allowing the user to provide the write API key at the time the channel is created (2) allow the ThingSpeak "Write Settings" API to change the write API key, (3) (best) Allow the Particle device to pass its Particle Device ID in lieu of an API key (now that would awesome and most secure!).
edit: I'll update this thread after I've looked at the Particle options. I have a few things in front of that right now.
Fox Devices
Fox Devices on 4 Mar 2024
Thanks Chrispher.
I'm using the create channel API to create the channel and get the keys programmatically when I provision say, 10-20 new devices. And that works great.
A private lookup channel would require its API key to be in the firmare too (unless I'm missing the point). The vendor of my microcontroller has a lookup mechansim on their site which can be accessed via the device serial number instead of a key in the firmware. So if my devices have to do a lookup, I'll probably use their mechanism as it'll provide the benefit of their security.
Christopher Stapels
Christopher Stapels on 4 Mar 2024
Since you already have the user API key embedded to generate channels, you don't actually need to embed the private API key becasue you could look it up using view channel info API, but thats just splitting hairs I think.
Can you share the microcontroller ? Im interested in the " lookup mechansim on their site which can be accessed via the device serial number"
Christopher Stapels
Christopher Stapels on 4 Mar 2024
No it is not possible to specify any of your API keys.You could have the device preprogrammed to read from a lookup channel to get its API key and channel info. It might not be as secure, but your lookupchannel can be private, and you could even encode the API keys before providing them to the device.
There is also a create channel API, so the device could create its own channel. The API key is returned, so the device would uniquely know the api key (along with the ThingSpeak account holder). The device would need to know the ThingSpeak account User API key to create a channel.

Tags