API keys
By providing a valid API key to ThumbmarkJS (see Options), you can dramatically increase the uniqueness of the thumbmark.
The reason this drastically improves the uniqueness of the thumbmark is because the Thumbmark backend will have access to more sources for the fingerprinting, such as HTTP headers and intricate details of how it performs the TLS handshake.
You can obtain your free API key from the ThumbmarkJS console.
Allowed origins
If you know the origin domains that will make calls to the Thumbmark API, you can explicitly name the allowed origins. Log into the ThumbmarkJS console and list the allowed origins that can make calls to the API.
Do not provide the protocol (e.g. https://), and don't add a trailing forward slash '/'. Instead, just give the end of the domain name you wish to allow, as in
- google.com
- docs.thumbmarkjs.com
- localhost
localhost is useful to list if you plan on making calls to the API from a local development environment. You can use subdomains, but if you specify e.g. example.com, it allows subdomains like sub.example.com as well.
Authorization caching
When an API call is made, the backend checks for authorization before it passes the request onward. This authorization is cached for 5 minutes. The cache uses the origin of the request as well as the api key as identity sources, meaning, for the same request origin and the same api key, the authorization result will not change for 5 minutes.
If you make changes to the allowed origins, you might need to wait a maximum of 5 minutes before the changes take effect. You can regenerate the API key though to "reset" the cache, since the identity source (api key) changes.
Test your implementation without allowed origins first and secure the API with the right allowed origins after. Then test that it still works.
Avoid exposing the API key
A good system design is one that doesn't expose the API key to the visitor. You could for example have the client ask for the API key from the backend, before instantiating Thumbmark with it. Your call!