Authentication overview
Glitterly provides an API for programmatic image generation from templates, designed for developers integrating dynamic visuals into their applications. Authentication for the Glitterly API is managed through API keys, which serve as a unique identifier and secret token to authorize requests. This method is common for web services requiring direct client-to-server communication where session management or user delegation is not the primary concern. Each API key is associated with a Glitterly account and grants access to the resources and functionalities permitted by that account's plan and permissions.
The API key must be included in every request to the Glitterly API to ensure that the request originates from an authorized source. Failure to include a valid key or providing an invalid key will result in an authentication error, typically an HTTP 401 Unauthorized or 403 Forbidden response. Glitterly enforces the use of HTTPS (TLS 1.2 or higher) for all API communications, encrypting data in transit and protecting API keys from interception during transmission, aligning with general security recommendations for API interactions, as detailed in the Cloudflare API security best practices.
Supported authentication methods
Glitterly’s API primarily supports API key authentication. This method is straightforward to implement and manage, making it suitable for server-side applications and internal tools that interact with the Glitterly API.
API Key
API keys are unique, secret tokens that identify a Glitterly account and authorize API requests. They are typically generated from the user's dashboard and represent a direct credential similar to a password for API access. When using API keys:
- How it works: The API key is sent with each request, typically in the
Authorizationheader using theBearerscheme, or as a query parameter. - When to use: Ideal for server-to-server communication, backend applications, internal scripts, or environments where the key can be securely stored and managed without exposure to client-side code.
- Security considerations: API keys grant broad access to your Glitterly account's API capabilities. They must be treated with the same confidentiality as passwords. Rotation and revocation features are available to manage key lifecycle.
| Method | When to Use | Security Level |
|---|---|---|
| API Key (Bearer Token) | Server-side applications, backend services, internal automation | High (when properly managed and transmitted over HTTPS) |
Getting your credentials
To obtain your Glitterly API key, you will need an active Glitterly account. The process involves navigating to your account settings or a dedicated API section within the Glitterly dashboard.
- Sign in to Glitterly: Access your Glitterly account using your registered email and password.
- Navigate to API Settings: Once logged in, look for a section labeled 'API Settings', 'Developer', or similar, often found under your profile or account management menu.
- Generate New API Key: Within the API settings, you should find an option to 'Generate New API Key' or 'Create Key'. Clicking this will typically generate a unique alphanumeric string. Some platforms may allow you to name your key for easier management.
- Securely Store Your Key: After generation, the key will be displayed. It's crucial to copy this key immediately and store it securely. For security reasons, Glitterly may only display the full key once, and you might not be able to retrieve it again if lost. Store it in environment variables, a secrets manager, or a secure configuration file, rather than hardcoding it directly into your application's source code.
- Permissions and Scopes (if applicable): While Glitterly's API keys currently offer broad access, some future iterations or similar APIs might offer granular permissions or scopes for keys. Always review any options to restrict a key's access to only the necessary operations.
If you suspect your API key has been compromised, or if you no longer need a specific key, you can revoke it from the same API settings page in your Glitterly dashboard. This action immediately invalidates the key, preventing any further unauthorized use.
Authenticated request example
Here's an example of how to make an authenticated request to the Glitterly API using curl. This example demonstrates how to include your API key in the Authorization header as a Bearer token.
This request assumes you are generating an image using one of Glitterly's templates. Replace YOUR_API_KEY with your actual Glitterly API key and adjust the template_id and modifications payload according to your specific Glitterly template and desired image output.
curl -X POST \
https://api.glitterly.app/v1/images \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
"template_id": "tpl_xxxxxxxxxxxxxxx",
"modifications": {
"title": "New Product Launch",
"description": "Check out our latest innovation!",
"image_url": "https://example.com/product.jpg"
},
"output_format": "png",
"width": 1200,
"height": 675
}'
In this example:
-X POSTspecifies the HTTP method.https://api.glitterly.app/v1/imagesis the Glitterly API endpoint for image generation.-H 'Content-Type: application/json'indicates that the request body is in JSON format.-H 'Authorization: Bearer YOUR_API_KEY'is the critical authentication header, whereBeareris the scheme andYOUR_API_KEYis your secret credential.-dprovides the JSON payload containing thetemplate_idand anymodificationsrequired to customize the generated image, along with output specifications.
For more detailed API usage and specific endpoint documentation, refer to the official Glitterly API documentation.
Security best practices
Adhering to security best practices is essential when handling API keys to protect your Glitterly account and data. Compromised API keys can lead to unauthorized access, resource abuse, and unexpected billing charges.
1. Keep API Keys Confidential
- Never hardcode: Avoid embedding API keys directly into your source code. This makes them discoverable if your code repository is compromised.
- Environment variables: Store API keys in environment variables (e.g.,
GLITTERLY_API_KEY) on your server or development machine. This isolates keys from the codebase. - Secret management services: For production environments, use dedicated secret management services like AWS Secrets Manager, Google Cloud Secret Manager, or Azure Key Vault to store and retrieve API keys securely.
2. Transmit Keys Securely
- Always use HTTPS: Glitterly's API requires HTTPS. Ensure all your API calls are made over HTTPS to encrypt the API key and other data in transit, preventing eavesdropping. This is a fundamental security practice for web APIs, as highlighted in Mozilla's guide on secure contexts.
3. Restrict Key Permissions (if applicable)
- While Glitterly's current API key model provides broad access, always assign the minimum necessary permissions if or when granular access controls become available. This limits the damage if a key is compromised (principle of least privilege).
4. Rotate API Keys Regularly
- Periodically generate new API keys and revoke old ones. This practice reduces the window of opportunity for a compromised key to be exploited.
- Establish a rotation schedule (e.g., every 90 days) and have a documented process for updating keys in all consuming applications.
5. Monitor API Usage
- Regularly check your Glitterly account's usage logs or dashboards for any unusual activity or spikes in requests that could indicate a compromised key or unauthorized access.
6. Revoke Compromised Keys Immediately
- If you suspect an API key has been exposed or compromised, revoke it immediately from your Glitterly dashboard. Generate a new key and update all applications using the affected key.