knowledge base |

Preventing Client-Side Access Token Abuse

Preventing Client-Side Access Token Abuse

Unfortunately there is no silver bullet here -- all analytics services have this problem too (Google Analytics, Mixpanel, etc.).

Our best practices for mitigating this problem:

Access tokens
Use a separate client-side token with post_client_item scope only. (This is the default post_client_item token.) The client-side access token can only be used to send events and only from client-side platforms. It can't be used to read any data, and it can't be used to spoof server-side events.

Tokens can be disabled and replaced at any time. If someone is abusing your token, you can disable it and use a new one instead.

IP Blocklist
We also provide an IP Blocklist so that you can blocklist specific malicious IPs. You can find the source IPs in the Rollbar interface, and then add those IP(s) to the blocklist. (Project -> Settings -> IP Blocklist)

"Rollbar allows us to go from alerting to impact analysis and resolution in a matter of minutes. Without it we would be flying blind."

Start continuously improving your code today.

Get Started Shape