How To Access The Market Data API From A Web Browser Securely

Add the access token to your browser's headers to access the Market Data API from a browser.

September 6, 2020
    Add a header to begin generating the table of contents

    If you plan on using a web browser to test Market Data’s APIs, we highly recommend you modify your headers to include the Market Data Access Token. Although we allow some API endpoints to receive your Access Token in the URL, this is not recommended.

    URLs are saved in web browser histories, server logs, and a number of other places. If you expose your access token in an URL you don’t know where it could end up.

    This is why at Market Data, we don’t allow trading or any sensitive API endpoints to be accessed using your access token in the URL. Unfortunately most web browsers do not offer a built-in way to modify the headers, so a plugin or extension will be needed. The header you need to add is the following: Authorization: Token <your token>.

    Google Chrome Example

    If you are using Google Chrome, one Chrome extension that has worked well for our team is ModHeader. This extension will let you easily add an authorization header. Just add Authorization as the header type and then Token <your token>. The < > are just for your reference, do not add them. When you navigate to https://api.marketdata.app/ after setting your token you’ll be able to browse the API and test out all the endpoints with your browser.

    There is one more step to configuring ModHeader. The Authorization header should only be sent to Market Data’s API and not to other websites.

    If you accidently leave ModHeader enabled, you’ll be sending your Access Token to every website you navigate. Needless to say, this is very dangerous.

    The next step is to configure ModHeader to only send the token to our API in the extension configuration in Manage Extensions. Use the option “On specific sites” and add api.marketdata.app as the option. This will prevent ModHeader from working on every other page you visit and will only let it transmit your Access Token to Market Data.

    Of course you can also manually enable and disable Mod Header right from the extension icon, but our team highly recommends adding this safeguard to the ModHeader configuration to avoid accidental transmission of your Token. If you forget even one time to disable ModHeader, every website you visit will receive your token in the headers. If you begin to browse other sites in another tab while using ModHeader with Market Data, you will also transmit your headers to that website.

    We cannot stress enough the importance of limiting the transmission of your token only to Market Data. Also, you will find some websites that rely on headers such as Gmail or Google Drive will also fail and lock you out if you transmit our Authorization headers to them.

    Share This Tutorial

    Comments & Questions