I'd like to create a browser app, not mobile. Ideally, people should be capable of getting their data via JS in a programmatic way. For example, to retrieve data from my backend. How could I achieve this?
You'd want to use the REST api for that, right? What's holding you up specifically?
David Pelaez T.
almost 8 years ago
I'm not sure if the Kinvey Rest API would be the same for my API. For example, access should ideally be handled with secret tokens created on my APP. Or consider something like Gmail app specific passwords, if I have data that other people need to access on my behalf, then giving my credentials is very risky. In the same way that you don't give you user and pass for apps to use the Facebook API on your behave. This sort of things of how it's different to use an API from the browser as a user as opposed to using it from a server, made me present this question. In parse (sorry but I don't know how else to explain further) you'd host an Express app exposing the API as you desire and using the BaaS power within it, like a mixed solution that's way better than your own hosted API. This feature covers for all the limits of BaaS by letting you provide a solution, hosted and handled on the platform itself. Is it clear now the limits that I'm currently seeing? Please let me know if there something else I can add to make it better.
almost 8 years ago
You could add collection hooks or rpc endpoints that will translate a secret token header created by your app into proper credentials in order to access the baas documents perhaps?
over 7 years ago
If tweaking access to data using the [Kinvey ACL](http://devcenter.kinvey.com/guides/security#Accesscontrol) is not sufficient for you, I’d recommend the following architecture:
1. Create a Node.js (Express) app which talks to the Kinvey REST API. You can use the [Node.js library](http://devcenter.kinvey.com/nodejs) for that.
2. Add an authentication layer to your Node.js app, which provides "app specific passwords".
3. Let the client (browser) authenticate against your auth layer added in 2. If successful, allow access to your API created in 1., which talks to your backend.
The browser will thus always connect to your own app, and you can do authentication appropriately, and expose your own REST API to the client.