Skip to main content

Proving the identity of the logged-in user in 3rd party API calls from the Theme

How can I prove the identity of a logged-in user in a Nationbuilder theme to a 3rd party API that I control? As officially answered in, there's no way to get an API token or other token from Nationbuilder inside of javascript that can prove the identity of the logged in user to third party APIs. However, that answer also says the correct way to make Nationbuilder API calls from a theme is to set up a 3rd party API and call it from the template. So, how can I prove to the API that the request coming in is in fact coming from a logged-in user in nationbuilder and isn't being faked? And how can it verify the user ID is in fact who the user request says it is? Another way would be to use a HMAC with a secret key inside of liquid, but as officially answered in, there are no hmac filters in nationbuilder either. So what's the recommended solution? Or do I just need to not have any authentication on the API, and just pray that the requests are really coming from a logged-in user on Nationbuilder and not a malicious actor?


Official response from

I've discussed this with colleagues and we are a little unclear as to what your aim is here. If someone is logged in as a control panel user, then they are able to access the data directly through the control panel. The API is not designed to be used in conjunction with control panel access in the way you describe. So there isn't a tool to facilitate authenticating control panel access. There shouldn't be any need to do this, as any data that could be surfaced via the API for a logged in control panel user could be accessed directly via the control panel. 
If you want to email more details of what you are trying to build to [email protected] we can take a look if there are other ways to achieve it.

Share this post

Showing 2 reactions

How would you tag this suggestion?
Please check your e-mail for a link to activate your account.