Enable secure authentication for calling custom InboundDataExtension APIs from HTML templates without exposing API keys in client-side code.

How:
Provide a supported mechanism (e.g., token exchange, session-based auth, or built-in proxy pattern) so that HTML templates can securely call InboundDataExtension APIs without embedding credentials. For example, allow templates to use the existing authenticated user session (withCredentials: true) or provide a secure server-side relay that manages the API key internally.

Why:
Currently, the only working option is to hardcode the API key in the HTML/JavaScript, which is not secure and goes against best practices. Storing secrets in templates exposes production systems to risk. A secure, supported authentication method would align with modern security standards.

For Who:
For inRiver customers and partners who build custom business logic using InboundDataExtension APIs and need to expose this functionality in HTML templates for end users (non-admins).

Impact:

• Removes the need to hardcode API keys in templates.

• Enables secure adoption of custom APIs across different user roles.

• Reduces security risk and improves compliance with IT governance policies.

• Broadens safe use cases for InboundDataExtension without relying on workarounds.

Additional context:

• WithCredentials-based calls currently work only for admin users, not regular users.

• This limitation forces insecure practices.

• Suggested solutions include:

  • Supporting role-based session authentication for InboundDataExtension APIs.

  • Providing a native server-side relay/proxy for template requests.

  • Allowing configuration of secure API token exchange.