I did a search for this, but found nothing - well did find stuff, but it didnt make a lot of sense…
Does anyone know how to call into the Coda API from within a pack. I know how to call an API that does not require a bearer token, just not sure how to call one WITH a token.
There is some information on how to authenticate with the Coda API in a Pack in this guide:
If you add that authentication configuration to a Pack it will both create a new API token and pass it along with all the requests.
Let me know if that helps.
I am working on a Pack which retrieves content from an external API.
It would be useful to use the Coda API to both insert and manipulate the new content.
However that would require authorizing both coda.io and an the external domain. But I get this error:
metadata.networkDomains: Specifying multiple network domains requires Coda approval.
I can think of a number of other use cases where I might want to read from 2-3 different external APIs in one Pack (such as an advanced Weather pack retrieving data from multiple sources) or do a GET from one API and a PUT to another within a Pack.
How does one obtain “Coda approval” for this sort of situation? What would be the harm from generally allowing users to access up to 3 domains in one Pack?
Hi @Richard_Kaplan - You can request an exemption from the one domain restriction using the form linked here:
We typically only grant exceptions when both domains are for the same service or app, or when they are related services that don’t require user authentication.
This restriction exists to help improve the trust and security around Packs. We don’t want Packs that send user data to outside servers, where neither Coda nor the customer has visibility in to how it’s being handled.
Rather than have a single Pack that connects to multiple services or APIs we recommend building a series of separate Packs and using the Coda Formula Language to combine them together. In addition to having the benefits previously listed, it also puts more logic into the doc where the user can easily modify it.
OK fair enough @Eric_Koleda
Might it make sense to make an automatic exception for coda.io as a permitted “second” domain?
It’s something that’s been brought up before, but it would still be a risk sice the Pack could then send data to some other private doc the Pack maker controls. Long term I think we will just build more functionality into the SDK where we can control access more carefully.
OK fair enough - I can appreciate the balance of how much the Pack infrastructure brings to Coda vs the security risks
Do you do code reviews for public Packs and updates similar to what Apple does for its App Store, or do these security controls on the Packs serve that purpose?
No, today we don’t have any review process for Packs. That’s part of the reason for the strict controls on Pack capabilities, to have trust built into the platform instead of per-Pack.