docs(auth): support standard authorization headers and fix typos#52
Open
OluwaseunOlajide wants to merge 2 commits into
Open
docs(auth): support standard authorization headers and fix typos#52OluwaseunOlajide wants to merge 2 commits into
OluwaseunOlajide wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the Authentication section of the API docs to discourage insecure API-key-in-URL usage and move toward standard Authorization: Bearer headers.
Changes:
- Updated the primary
curlauthentication example to send the API key via anAuthorization: Bearerheader. - Adjusted the example URL formatting (currently introduces a Markdown-link formatting issue inside the code block).
Comments suppressed due to low confidence (1)
source/index.html.md:75
- The paragraph immediately below the updated example still instructs users to authenticate via the
?api_key=...query parameter, which contradicts the newAuthorization: Bearerheader example (and the PR description). It also contains typos (“on” -> “one”, “recieve” -> “receive”).
--header 'Authorization: Bearer API_KEY_HERE'
You authenticate to the Booqable API by providing on of your API keys in the request.
This can be done by appending ?api_key=API_KEY_HERE to the end of your request URL.
</details>
---
💡 <a href="/booqable/api-documentation/new/master?filename=.github/instructions/*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
source/index.html.md:75
- The example now uses an
Authorizationheader, but the following text still instructs users to pass the API key as a URL query parameter and contains typos ("on of", "recieve"). This is inconsistent and continues to encourage an insecure pattern. Also consider updating other examples that still useapi_keyin the URL (e.g.source/includes/_customers.md:83) to keep the docs consistent.
--header 'Authorization: Bearer API_KEY_HERE'
You authenticate to the Booqable API by providing on of your API keys in the request.
This can be done by appending ?api_key=API_KEY_HERE to the end of your request URL.
</details>
Comment on lines
69
to
+71
| curl --request GET \ | ||
| --url 'https://company.booqable.com/api/1/customers?api_key=API_KEY_HERE' | ||
| --url 'https://company.booqable.com/api/1/customers' \ | ||
| --header 'Authorization: Bearer API_KEY_HERE' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
While reviewing the API onboarding flow, I noticed the Authentication guide currently instructs users to pass their API keys as URL query parameters (
?api_key=API_KEY_HERE).This is an operations security (OPSEC) risk for teams doing security reviews, as credentials passed via URLs are frequently leaked in plain text across routing infrastructure, reverse proxies, and server logs. Furthermore, modern network security constraints and SSL/TLS terminators (like Cloudflare) can occasionally flag or drop these requests entirely.
Changes Made
cURLexample to use standard HTTP headers (--header 'Authorization: Bearer API_KEY_HERE'), ensuring tokens are securely encrypted within the request metadata.Authorization: Bearerheaders correctly without requiring any middleware modifications.Let me know if the engineering team requires any adjustments!