Hi, please help to understand the following questions
What is the implementation behind Builder’s RegisterComponent method and why do we not need a public key for registering a custom component?
Assume that I am registering a component using Builder SDK from my local server using Builder.registerComponent. The registered component is available for consumption if I use localhost as the preview url in Builder IO. However, my understanding was, once you register a component in Builder IO, irrespective of the preview url, the component should be available for consumption.
Currently the public key is exposed as part of the cdn url of builder io. For eg, https://cdn.builder.io/assets?%2F{public_key}%2F. What are all the exploitations/actions possible through the public api key?
Thank you for reaching out to the Builder.io Forum. My name is Veronika and I am a Customer Engineer here at Builder.
The implementation of the Builder.registerComponent() method does not require a Public API key because it’s primarily used to register components within your local environment for the Basic Visual Editor. When you register a component, the registrations happens within your codebase and is intended to show up in the Basic Visual Editor UI as a custom block so you can freely drag and drop it while building your website. This is purely developmental setup within custom components in Builder so that they show up in the UI to be used; so we don’t need a Public API key for that. Once you register the component in your codebase, the component will be available for consumption in your environment.
Here is a helpful doc to read in terms of registering components.
The Public API key being exposed as part of the CDN url shouldn’t be an issue. The public API key is designed to be exposed; it’s just mainly to identify the space or organization from Builder where content is being fetched from. Since the API key is read-only access, it’s just typically used to fetch content. Due to this, the exploitations/ actions are pretty minimal. It’s just for retrieval of content.
With this being said - it’s recommended to ensure that any of your sensitive operations are being safeguarded by authentication measures and are not being exposed with the public api key.
Here is some more information about the Public API key.