when calling RESTful api, is it safe to put api token in http request header? e.g.: Uber reminder api

Question

You can use uber RESTful api to send a reminder, e.g. "Movie at local AMC", to Uber app user. The api document is here.

POST /v1/reminders

But you have to put a token(they call it server token) in http request header for authentication. Doc is here.

curl -H 'Authorization: Token YOUR_SERVER_TOKEN' \
'https://api.uber.com/v1/products?latitude=37.7759792&longitude=-122.41823'

User can use chrome dev tool to see the token. My question is:

Is it secure to put app token in http request header sending from front-end? Why? Should I call reminder at server or in the browser using Javascript?

Answer 1

While it is possible to remove and generate new server tokens in the Developer Dashboard (screenshot below), you should not make your server token publicly available (e.g. through JS variables in the frontend). With this token, others could create, retrieve, update, and delete reminders.

Furthermore, the server token could be used to retrieve estimates (price & time) and Uber products on your behalf. This may sound insignificant but could impact your application's rate limiting (2000 requests per hour). If the server token is in the wrong hands, it could effectively prevent your application from communicating with the Uber API periodically.

I'd strongly recommend implementing this on the server-side.