Does Qualtrics support integrating with APIs via the implicit grant flow of Oauth 2.0? | XM Community
Skip to main content
Has anyone had any success with using Qualtrics to call secure APIs without API keys or is there a way to hide API keys from form editors?



We are attempting to integrate Qualtrics with our custom Student Information System restful API using the implicit grant flow of Oauth 2.0.

We aren't comfortable adding secret keys to Qualtrics forms our editors would be able to see and potentially abuse (accidentally removing authentication, ect).



We could build a custom javascript function that sends the client to our Authorization server to get an access token onLoad, that is then used to set an embedded field that is sent to the (API) Resource server as a bearer header. This custom javascript function would be very volatile to Qualtrics updates.

- Another option may be to use our existing federation (SAML) to generate access_tokens.
You could write a web service script that contains the API key(s) (or retrieves them), then pass the API requests from the surveys through it. That way the form editors wouldn't be able to see or change the API key.



Regarding your idea for a custom JavaScript, a web service that returns an embedded field would be a better choice.
Thank you for your quick response!



The web service script containing API keys would be world accessible. Anyone who stumbled upon the API key end-point could use the keys to access and update highly sensitive information. We could lock it down to Qualtrics IP range, but any Qualtrics user could find the end-point and display the embedded field. This sounds like security by obscurity.



Is there any other way to hide secrets from form editors?
No, the API keys in a web service script wouldn't be viewable to the world. The web service script would be executable by the world, but not viewable. And, as you point out, you can build whatever additional security you deem necessary into the script.
Executable in form of only responding to PUT, POST, UPDATE, or DELETE HTTP requests vs GET HTTP request?



Anyone can send any type HTTP request to a world accessible API end-point and view the response.



API scripts can be secure by exchanging secret keys or OAuth access_tokens. We trust Qualtrics to safely store our secret keys, but we don't want the keys visible to form editors.

Leave a Reply