Keeping deviceID and access tokens private on the Web

Hi, I’ve been having a blast working through Photon examples and tutorials. So much fun that I want to put a few of the web interfaces on a public web page, so that people can see them work.

Two things:

  1. Is there an easy way to keep my deviceIDs and access tokens private? I don’t want them to be available to anyone who clicks View Source.

  2. Many of the examples automatically generate a “results” page. Can I supress that online, or capture it a different way? The people who will see these examples will be able to see the servo action, or the diode flashing, so i don’t need to display a results page.



I wrote up an example of using Particle API JS and prompting for username and password in a web form and optionally storing only a temporary access token only in a browser cookie. It uses jquery so it might be a little more than you’re looking for, but it might have some tricks that you might find helpful. It runs entirely in the browser, no server code required.


Nice as that may be, that won’t allow others to see his data without knowing his credentials, which kinda defeats the purpose :wink:

  1. You can ‘hide’ your credentials by using PHP and handling all that ‘stuff’ on the server side.
  2. You can suppress ‘result’ pages by not using HTML forms, but rather javascript. There are some examples in the tutorial section for those :smile:
1 Like

Thanks Moors7.

Where would I find some info on using PHP? I work with a bunch of PHPers (in the Drupal world) so I might be able to get some help there.

Also, which tutorials that mention javascript are you thinking of? I probably scrolled right past those parts : )

Thanks again, DC

I personally never used it, but I think @wgbartley has, he might have some insights on this :smile:

I really like this one!

1 Like


on that last example, won’t the javascript – with the device ID and the access code – be visible? Or am I reflecting egregious ignorance of how this could work on a publicly accessible Web page?

The example as-is will show the credentials, correct. If you combine this with a server back-end (PHP, or nodeJS, or…) you should be able to circumvent this. You then make calls using the javascript to the server, which will relay them to the cloud, handling the credentials in the server. Guess that’s what they call a proxy(?)

1 Like