Envato API Token Reveal

I find Envato API to be very useful but I have only one problem with this option. Every time I set up a new Token I have the option to see the respective token only when I set it and each time I have to make sure I keep it very well because otherwise I have no option to see the respective token again.

Is it difficult to add a function that allows you to always see the token?

1 Like

Completely agree here! :slight_smile:

I think they did it this way as a security measure, but in my opinion it’s all a bit overprotective at the moment. Most large APIs out there nowadays allow you to retrieve an existing token, though they conceal it without some input, for example:

Anyway, just wanted to give a massive +1 from me! Perhaps a developer like @rosssimpson can think about this! :slight_smile:


1 Like

Hi @margescualexandru!

@baileyherbert is right, we don’t expose the token value for security reasons – actually we can’t expose it because we don’t store it! We store a representation of the token internally that we can compare with the value you send in your API requests, but as soon as the token is created we discard the actual token value. This was a conscious choice made when the API was designed. If there’s ever a data breach of this system, the token values cannot be exposed.

Tokens should be treated just like passwords and stored securely, ideally in a password vault. That way you can access them whenever necessary, but they’re protected from accidental exposure.

@margescualexandru can you explain your use case for needing to fetch the token value after creation (either here or in a DM)? Perhaps you’re using the API in a way we hadn’t anticipated.

1 Like

Hi @rosssimpson ,

Thank you for your reply. I understand your point of view regarding the security of the account. To be honest is not a huge problem regarding the usage of the API, it was more of a suggestion / question.

I’m a UX designer and in my way of seeing this sort of systems it breaks one basic rule I have which is “If an account has security / double security using two-form authentication / then why not leaving the option to user to keep that secure without needing to create an extra file (extra step) with something in it” which translates into “why creating unnecessary steps when they are not needed?”

E.g Google API’s platform

From a logic point of view,

  • If anyone breaks the account he can still create a new Token and delete the others
  • If anyone breaks the wordpress account he can retrieve the Token in the Envato Plugin console

So I don’t see a real reason to hide that as the extra step for security doesn’t actually protect anything more valuable than the actual account.

The original thought when I opened this topic:

I have 30 clients and not all of them have the plugin installed and I’m currently organise them maybe in

  • Clients Category 1
  • Clients Category 2
  • Clients Category 3
  • Personal Projects
    and so on…

During the process, I wanted to add a new client in one category and simply forgot were the Token Details were saved so I had to search for a website outside my personal projects that has that “clients” Token, so login into multiple wordpress accounts to find the good one and after that I was able to find the Token I needed. ( I could have created a new Token to rush things but my OCD didn’t allowed that / I could have kept the Token in a easy-to-find file but sometimes you forget this “extra steps” working on multiple projects at once / I could have had the option to reveal the Token in my Envato account and this sounded as the perfect solution from an UX point of view )

I’m not an english native speaker and I’m also really s@&tty when it comes to express my thoughts so if you have any questions please let me know :smiley:

@baileyherbert Thank you for your interest on my suggestion.

1 Like

Generally, you want to create a new token for each plugin. This way, if you ever need to deactivate one plugin’s access for any reason, you can do so in a click without affecting the others. That’s a pretty rare scenario though - it’s not something the we usually think about when dropping a token into a WordPress site.

Thanks @rosssimpson for the clarification. Hashing tokens is understandable as an infrastructural decision, and I think we can all appreciate the extra effort towards security in a world teeming with frequent data breaches!

For me, being able to copy an existing token from the API dashboard sounds more appealing than digging through my crowded filesystem to find it written down in some encrypted spreadsheet. And having to add new tokens to the spreadsheet every time?! How much extra work would you have me do? :rofl:

Given your explanation, I understand it’s pretty unlikely this will ever change. Guess it’s time to brush all this dust off of Excel. :stuck_out_tongue_winking_eye:

Cheers guys!

Thanks both of you for your replies :slight_smile:

@margescualexandru: I can understand your reasoning and don’t disagree. However, there are a few additional factors that we take into account:

  • Though we offer multi-factor authentication, not all users use it. For us to remove a security mechanism in one place (e.g. around tokens), we’d want to see at least an equivalent level of protection added elsewhere (e.g. forcing all users to use MFA).
  • The system storing (hashed) tokens is isolated from other systems. If it were compromised, it’s unlikely that an attacker would be able to use the information found there.
  • If your Envato account were compromised, then yes, a new token could be created. However, we have many layers of protections around accounts that aim to make this less and less likely. The new token would also be visible in your list of tokens and could be revoked.
  • If a WordPress site containing a token were compromised, then unfortunately the attacker could indeed access the token. The only recourse here would be to revoke the token.

While it would be possible to rearchitect the API to have visible tokens, it’s unlikely to happen without some really compelling reasons (it’d be a significant amount of work).

In the meantime, I’d suggest looking at a password vault/manager rather than an Excel sheet or storage on your filesystem. There are lots of options, both free and paid (1Password, Lastpass, Dashlane, KeePassX, Pass, …).

I appreciate your input, and we’ll keep it in mind in the future!