Announcing SteemAccess: Enabling Third Party Apps to Interface with Steem
I'm really excited to announce the alpha of our new product SteemAccess.
SteemAccess is our solution to the problem of integrating third-party applications with steem without the requirement to disclose private keys to those applications. Instead the third-party application or website requests permission to act on your behalf and you may either accept or decline such requests.
Demo: https://www.steempower.org/oauth2/demo
Markdown Editor - Post Directly to Steemit
We are happy everyone has been enjoying our full markdown editor. We're happy to announce that our editor can directly post to Steem without needing to copy and paste your text into Stemit.
Type in your post title and category, fill in any tags and click Publish
SteemAccess Current Features
SteemAccess allows registered applications to perform the following actions with your steem account:
Read your profile information
Read information from your profile or blog - note that applications can not change your profile, only read it
Upvote posts on your behalf
Applications can upvote posts for you, this feature is used by Steem PowerTrail for example
Post content on your behalf
Applications can make posts for you, this is used by apps such as our editor
Security and Privacy
We take your security and privacy very seriously and that is why we built SteemAccess so that we can offer useful tools and apps to you without compromising your steem account. The only time our server sees your private key is immediately after you login and whenever it is needed to perform an action. Unencrypted private keys are never written to disk, only stored in memory. To protect your private key from being compromised we use the highest possible key length to encrypt it using the well-tested blowfish algorithm. From time to time we will also revoke all capabilities and switch encryption keys.
Third party apps are restricted to performing actions that you have authorised them to perform and we are working on a web interface that will allow you to revoke permissions at any time from any supported application. In addition, the current default is to expire all granted permissions after 1 hour.
API Updates
We've made some awesome updates to our API for everyone to enjoy.
We have various APIs available that enable you to integrate your own applications and scripts with steem. These APIs are intended to make life simpler for application developers and provide the tools needed to interact with steem so that you can focus on your own application and not the details of integrating steem.
The current API endpoints are listed below:
- REST
https://www.steempower.org/api-v0
Public read-only service
This endpoint offers a REST interface with resources represented as JSON. At present this is a read-only API and intended to enable applications such as blogs on external sites pulling data from the steem blockchain.
- OAuth2 user authorization form
https://www.steempower.org/oauth2/auth
Available only to specific developers, currently in alpha
This endpoint implements part of the OAuth2 standard and allows applications to request capabilities by presenting a form to the end user. You should NOT access this endpoint directly from your server but instead should direct the user's browser to it. Parameters are passed as standard HTTP GET query values and are documented below.
- OAuth2 popup JavaScript
https://www.steempower.org/oauth2/popup.js
Available only to specific developers, currently in alpha
In order to provide a consistent experience for end users you should present the OAuth2 authorization form as a popup window with a resolution of 532x824 pixels. Your redirect URL should also be compatible with this resolution.
This endpoint provides a javascript function that may be used to create such a popup from your own application.
- OAuth2 token retrieval
https://www.steempower.org/oauth2/token
Available only to specific developers, currently in alpha
You may obtain the granted capability URLs and username via this endpoint. Parameters are passed as GET query values. This endpoint should be accessed directly by your server and NOT via the user's browser. You should also consider the parameters and return value for this endpoint as sensitive information as the capability URLs are not tied to a specific IP address and may be used by anyone who possesses them by design.
- HTTP Capabilities
https://www.steempower.org/caps
Available only to specific developers, currently in alpha
This endpoint is the default endpoint for capability URLs generated on behalf of a steem user or any other entity. The usual way to obtain them is to use the OAuth2 protocol as described above. By making use of the capabilities API your application may act on behalf of the end user using a simple HTTP interface.
SteemPower Witness Vote
Help keep SteemPower running! Voting for us as witness pays for the development of apps and tools for Steem.
Vote for us as a witness the following way:
https://steemit.com/~witnesses click the arrow next to "charlieshrem"
Does this mean steempower.org has to have a copy of your key?
Good question - We never ask for your owner or active key, only your posting key. Your posting key gives us access to only post/vote on your behalf. The only time our server sees your posting key is immediately after you login and whenever it is needed to perform an action. Unencrypted posting key are never written to disk, only stored temporarily in RAM. To protect your posting key from being compromised we use the highest possible key length to encrypt it using the well-tested blowfish algorithm. From time to time we will also revoke all capabilities and switch encryption keys.
Posting keys can NEVER be used to touch any funds in your account.
I'm glad to see you are taking the storage of keys very seriously even if they are only posting keys.
I was going over the responsibility of hosting keys securely with a friend earlier today when discussing a new Steem based project. I was thinking of an encryption solution like you described but I think you just solved all my issues. I'll just let you host the keys.
Thanks!
When you have time would you explain what "vote on your behalf" means exactly? Just like it sounds I'm sure tho, as in Vote Like A Bot? (good dot com for ya maybe)
Basically I can go to work or to sleep and SteemPower.org willjust upvote articles automatically, and I get paid?
Essentially, we are building SteemPowerTrail so you can follow the trail of curators who vote on good content or you can donate voting power to @curie or @robinhoodwhale
More information: https://steemit.com/steemit/@charlieshrem/steempowertrail-alpha-follow-curators-and-your-favorite-authors-donating-all-my-voting-power-to-curie
Yup I remember that, thanks for the clarification.
Well in my few weeks here I've never voted for a witness, and I'm even a but sketchy on exactly what it means (hence the non-voting so far) but you just got my first one. You do tons here to make it better, thanks greatly, and I hope my vote helps you help others.
It means just what it sounds like: an external app can get permission to upvote on your behalf. Once it has that permission it can indeed do it while you sleep.
Right, I was mainly asking the "and I get paid" question, for clarity, comparing this to steemvoter.com for instance (which I haven't signed up for, but might). Charlie seemed to indicate that his was for donating voting power to worthy others, if I understood correctly.
WOW! My wish from the comment has been granted!
Way to go @charlieshrem and @garethnelsonuk
I plan to use this from here on out! ;)
We listen :)
That's what I like to hear!
Shrem on! ;)
GREAT NEWS!!! Thank you for your hard work and dedication to quality work. Looking forward to using these tools. Namaste :)
Please let me know what you think of this project @charlieshrem.
https://steemit.com/vip/@voteinterestpool/vote-interest-pool-vip-feature-contentjunkie
I'd appreciate any feedback you have.
You guys are working fast at steempower.org. everything is looking great! Hopefully catch you in steemspeak radio again :)
I am constantly astounded by the speed with which new things are developed for Steemit. This is anarchy in function :-)
Very cool!
Very interesting and useful stuff. Possibly long reaching for all sorts of applications.
May I ask a stupid question?
When I enter my posting key into the Steem posting key field - who guarantees that it isn't stored someplace? Except your words, of course :)
At the end it is the matter of trust. Or am I wrong?
PS: I could ask the same question at FB or G+ or ..., of course :)
Your key is stored, but stored encrypted - and even the encrypted form is not actually saved to disk in our server.
The server could of course store the key instead of encrypting it though and you only have my and charlie's word on that. If it helps, it'd be quite silly to actually hijack someone's account while trying to build things for the community .
Then of course there's the fact you can generate a second posting key in the cli wallet and use that instead. If SteemPower ever becomes untrustworthy then you can revoke that key.
You are correct in saying that you could ask the same on facebook or whatever - but at least with SteemAccess we are actually taking precautions to NOT store your key until it's used. Then of course third party apps can be authorised safely because SteemAccess can revoke caps if the third-party app is malicious.
I'm quite proud of this system actually - all of this works without a database at all (seriously - there is no database) unless you count the blockchain as a database. A bit of crypto magic means that we encrypt your key and any parameters needed to perform the action requested by the app, and then we go insane and send this to the app - which can now use the cap to do stuff until it's expired (an expiry timestamp is simply checked against current time - still no database).
When making an HTTP request, you send the URL you're after back to the server. The server then just treats it as a string, decrypts it, checks for expiry or revocation and then does what was requested and sends back results.
Your posting key is basically stored with the authorising app, but in a way they can't access it.
Thank you very much for along and thorough answer. I can see that you care about this. Congrats.
I don't have doubts in you or your services. I was simply voicing the most prominent question. And I've got a great answer.
By the way - I consider blockchain to be the database. The mother of all future databases :)
Power Trail seems promising!
Is not working for me @charlieshrem :(
We're having some issues due to load, they should be resolved soon. In the meantime, save your post as a draft or copy+paste it into a text file and retry in 20 minutes or so.
You can also of course just copy+paste direct into steemit. Please do not be concerned about your posting key as the authorisation will expire an hour after being granted.
I've tried twice so will wait an hour or so...
It's saved as a draft, but also in Google Drive, just in case ;)
Will copy and paste into steemit in the meantime.
And no worries, I'm not concerned about my posting key, I have read all the info before doing anything :)
Boom! fixed
Nope :(
I ran a test post just after fixing and it did go through, some things to check on your end:
If none of this works please let me know your exact browser version and your IP address you used so I can check the logs.
You can email this info to me at gareth@garethnelson.com - use "steempower nelyp" as the subject line and i'll do whatever I can to make it work for you.
Hi @garethnelsonuk. Ok, will try all that you said and let you know.
Thank you for replying and thank you so mucho for your help. I appreciate it :)
like anyway we can share something from say FB or Twitter on Steemit?
That's a cool idea that i'll investigate.
It should be fairly easy to do the other way round too - share your steem posts to facebook and twitter automatically. If there's interest i'll code that today.