question

Doug Toppin avatar image
Doug Toppin asked

Should an applicationId be kept private?

Since applicationId is used to uniquely identify my Echo Lambda app should it be kept private (meaning don't someday push code to github that includes it)? I was just wondering whether or not someone else could start using my app id if they knew it?
alexa skills kitdebugging
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

James Chivers avatar image
James Chivers answered
Hey Doug, Welcome to the forums :) Whilst I don't speak for Amazon, nor have I seen any guidance or warnings on the subject of keeping your App ID secret, I would try to keep it that way. Amazon expect that you at least verify, amongst other attributes, the passed App ID in their requests to your backend - so I would personally treat it as not for public consumption. https://developer.amazon.com/public/solutions/devices/echo/alexa-app-kit/docs/handling-requests-sent-by-the-alexa-service#Verifying%20that%20the%20Request%20is%20Intended%20for%20Your%20App Look at it as one less attack vector for a very new platform, and if it's possible to identify your Lambda app, I'd assume that someone would figure it out and do something nasty. Do you need to share it out? Or, can you leave a 'fill me in' for users of your code perhaps? Cheers, James
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Doug Toppin avatar image
Doug Toppin answered
James, tks for the tips. I was interested in keeping a good practice list of what should be kept private but I was also thinking of the long run and how putting code in a gist or a repo might be helpful to other people.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

AM avatar image
AM answered
Just seconding what James said, it should probably be kept secret. Although I believe currently you wouldn't be able to spoof the AppID even if you knew it since if if a request were invoked from an invalid place this would be known to either the Lambda function or the service.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Nick Gardner avatar image
Nick Gardner answered
Hi, The application ID is a unique identifier for a single specific application. So it's recommended to not hard-code it as a constant in source code, but rather be a configurable parameter that is passed to the application. The sample app build.xml for java shows an example of how to pass application ID(s) to the application via the "supportedApplicationIds" system property. Thanks, Nick
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.