Frontend / backend

  • 6 March 2020
  • 4 replies


It seems that all my clients (website, mobile, backend) have to share the same token (project's token). Is there a way to say this event is sure because it has been sent by the backend? I mean what guarantee me this data hasn't been sent by someone who retrieved the token from the frontend JS snippet? I’m concerned about calls to track_charge() for example.


4 replies

Userlevel 4
Badge +3

Hi @mathieug —

It is correct that your token is public, however in my 2+ years at Mixpanel I have never seen malicious events get sent to a project. That being said, if you want to confirm that specific data is sent only from your backend, you can add a filter to your report to only include events from a back-end mixpanel library.  

It is also worth mentioning that while a token is public, your secret is private and available only to you, which is required for exports of any kind. 


Let me know if you have any specifics that I can help address!




Cherise from Mixpanel

Thank you @cherise. Even the filter on the library doesn’t prevent malicious events, anyone can send an event with the library attribute set to anything.

I see an answer has been set as best answer. To me, my question isn’t solved.

Userlevel 4
Badge +3

Hi @mathieug —

Is this something that you are observing in your project? If so, I’d want to learn more about what you are seeing so we can create a plan to prevent this, figure out why it may be happening, or explore whether you are seeing bot activity that could be removed. 


If this is preventative, I would recommend that you use additional property filters that you know are only getting sent from your team. Maybe there is a unique property name or ID that you are sending that would only be known to your and your team. 


Let me know how that sounds! Also, I confirmed that none of my responses have been marked as best answer and I will keep an eye on this thread to make sure that you get a timely response!