Using Trakt API in Shortcuts

[devondundee]

I’m creating a shortcut for Apple platforms that uses the Trakt API, and I want to make sure I’m following best practices.

My shortcut makes a single call to the Trakt API to get a user’s watch history for the current day. It’s meant to be used once per day, certainly not more than a few times in a day.

When I distribute the shortcut, would it be appropriate to include my app’s API key? Or should I direct users to sign up for their own?

I don’t want users to hit a rate limit if several people are using the shortcut at the same time, though I don’t think that would be a problem if rate limits are based on IP address. The API key will be stored in plain text and user-accessible as Shortcuts actions can’t be concealed or locked.

What would be the best way of going about this?

[shokk]

@devondundee can you share your shortcut?

[devondundee]

Happy to! https://www.icloud.com/shortcuts/2ec35497c5224946ba791b345dbb23be

[kevincador]

Hey,

I was about to open a new discussion and found this one.

Following the latest announcement about new token validity, I've been thinking about how to use the Trakt API and Device Authentication and thought I'd share what I tested.

I've created 4 Shortcuts that work, more or less, together to:

1. Trakt API Setup: setup the required API key, API secret and redirect URI,
2. Trakt Get New Token: get a first token via the Device Authentication,
3. Trakt Get Fresh Token: always use a valid token, refreshing the one on file if needed,
4. Trakt Get History: get the user history using me to avoid asking for the username.

It works nicely on both iPhone and Mac 😏

Trakt API Shortcuts Test.zip

⚠️ Some warnings ⚠️

• Since Shortcuts doesn't have access to the Keychain or another more secured data pool, I'm using plain text files to store API configuration in Shortcuts/trakt/config.json and to store token info in Shortcuts/trakt/token.json. You can check and open the files via the Files app. They are synchronised on all your devices via iCloud.
• If you use these Shortcut on multiple devices, and have iCloud sync activated, you may end up refreshing the token before a new one is created. The OAuth way to deal with this is to invalidate both old and new tokens. It is a security safeguard to avoid an attacker to refresh a token he would have found. So make sure the token.json file is synchronised before a refresh needs to be done otherwise the seamless session refresh will break and you'll need to re-auth yourself again (not a big deal but not as seamless).
• A LOT of edge cases have been avoided. Only the happy path has been tested, there is almost zero error handling. Please don't take this as a fully functional, production ready thing.

Hope this helps someone ✨