Solved

Best practice for protecting MIXPANEL_TOKEN in Web?

  • 21 April 2020
  • 2 replies
  • 352 views

Since initializing the SDK for the Web requires providing the MIXPANEL_TOKEN in plain text, a keen user should be able to easily discover this ‘secret’.

 

From https://mixpanel.com/report/1166668/setup/quick 

mixpanel.init("1a2b3c4d5e6f7g8h9i0j")

...

var e = { msg : “helloWorld” };
mixpanel.track("foo", e );

 

No doubt there is little to no value in re-using the token for personal use on an unauthorized site, as an unauthorized user would not have access to the dashboard to view their data.

 

However, if the intent of a malicious user is to cause financial harm (of a competitor?),  they could easily drive up the Mixpanel operating costs of their target by using their token to submit a high volume of calls to the track() function.

 

What is the best practice for protecting against such misuse?

  • Obfuscate the token ID somehow?
  • Should I create a server-based API as a facade for Mixpanel?
  • Can I whitelist a specific domain that is only allowed to use the token?
  • etc? 

 

icon

Best answer by stephanie 22 April 2020, 21:35

Hi @adams,

While no one would be able to access your data with the project token alone, it is possible that someone could send undesired data to your project with the token but, in my years of operation, we have yet to see this sort of malicious thing happen. 

If you had a concern about someone tampering with your web analytics, the best way to ensure the accuracy of your data would be to use a server-side implementation. This would allow you to validate any data sent to Mixpanel and provide an additional layer of security.

I also wanted to mention that while a token is public, your api secret is private and available only to you, which is required for exports of any kind. 

Hope this helps!

View original

2 replies

Userlevel 6
Badge +4

Hi @adams,

While no one would be able to access your data with the project token alone, it is possible that someone could send undesired data to your project with the token but, in my years of operation, we have yet to see this sort of malicious thing happen. 

If you had a concern about someone tampering with your web analytics, the best way to ensure the accuracy of your data would be to use a server-side implementation. This would allow you to validate any data sent to Mixpanel and provide an additional layer of security.

I also wanted to mention that while a token is public, your api secret is private and available only to you, which is required for exports of any kind. 

Hope this helps!

@stephanie Does MixPanel have any plans to implement the ability to whitelist specific HTTP referrer’s for a token to avoid the possibility of unauthorized use?  I’m thinking about something like what Google has implemented for their API keys.

Reply


Mixpanel