Does Qualtrics support integrating with APIs via the implicit grant flow of Oauth 2.0?

Question

Has anyone had any success with using Qualtrics to call secure APIs without API keys or is there a way to hide API keys from form editors?

We are attempting to integrate Qualtrics with our custom Student Information System restful API using the implicit grant flow of Oauth 2.0.
We aren't comfortable adding secret keys to Qualtrics forms our editors would be able to see and potentially abuse (accidentally removing authentication, ect).

We could build a custom javascript function that sends the client to our Authorization server to get an access token onLoad, that is then used to set an embedded field that is sent to the (API) Resource server as a bearer header. This custom javascript function would be very volatile to Qualtrics updates.
- Another option may be to use our existing federation (SAML) to generate access_tokens.

TomG · Accepted Answer

You could write a web service script that contains the API key(s) (or retrieves them), then pass the API requests from the surveys through it.  That way the form editors wouldn't be able to see or change the API key.Regarding your idea for a custom JavaScript, a web service that returns an embedded field would be a better choice.

jsonner · Answer

Thank you for your quick response!The web service script containing API keys would be world accessible. Anyone who stumbled upon the API key end-point could use the keys to access and update highly sensitive information. We could lock it down to Qualtrics IP range, but any Qualtrics user could find the end-point and display the embedded field. This sounds like security by obscurity. Is there any other way to hide secrets from form editors?

Sign up

Login to the Community

Scanning file for viruses.

This file cannot be downloaded