How to protect the Realm app id?

Hi All,
I have a simple question. When using the realm sdk for web, I need to specify the Realm app id in my frontend app. Can this be misused? If the realm app rules allow inserts, then what prevents someone from spamming my collection with inserts from his own app?


1 Like

@Debashish_Palit : Welcome to the community.

Realm App id can considered as private property your app and shouldn’t be exposed, but can it misused is hard to answer.

Multiple features are available that can help you prevent such situation like

  1. MongoDB Realm doesn’t allow unauthenticated user access to the Realm Sync.
  2. You can enforced document structure validation while writing information.
  3. Development Mode should be disabled while realising app to production.
1 Like

its safe to share the APP ID in to the frontend code?, its a good practice to paste the APP_ID direct in the js script or its necessary to use a environment variable .env

PD: assuming that authentication by email or other system is enabled

@Freddy_Mansilla: I wouldn’t recommend hard coding the APP ID.

if im working only with a frontend webapp page, without a backend server.

how is the best alternative to connect with mongodb api and don’t share the APP_ID in the js script? is there an alternative? does mongodb app services hosting has a tool to save environment variables?

what is the best scheme to work and get safe?
thanks to answer I really appreciate.

1 Like

Hey @Freddy_Mansilla have you found a solution to that? I’m stuck with the same problem actually

check this @Luca_Scalenghe

link: Web SDK - Realm App ID - #2 by nlarew