Kakao platform only allows the apps with the registered Android package, iOS bundle, or the website domain information to access the Kakao SDK (Software Development Kit). Thus, you must register your app information in [My Application] > [Platform].
To protect from attacks such as malicious redirects to other sites, Kakao passes an authorization code to the registered redirect URI only. For this, you must register a redirect URI in [My Application] > [Kakao Login], and pass the registered redirect URI for the value of redirect_uri
. Only when the value of redirect_uri
in the request matches the registered redirect URI, the authorization code is issued from the Kakao authorization server.
To enhance security when issuing an access token, you can use a client secret code for additional verification. Go to [My Application] > [Security], and then generate a client secret code. Then, pass the generated code through the client_secret
parameter when calling the Getting tokens or Refreshing tokens API. Note that you must use the client secret code in server-side (backend) only and keep it secret not to be revealed on user browser.
To allows only the API requests sent from the predefined IP addresses, you can set IP addresses in [My Application] > [Allowed IP address].
To allow only the person registered as a team member to change the app settings, you can add a developer's account as a team member of your app in [My Application] > [Team Management] by clicking [Invite team member]. Since the Owner account has all permissions for the app, you must use a strong password for the Owner account not to leak the account information.
You can grant different permission to each team member depending on the usage purpose. If you need to create a test app and test the implemented functions before the app release, you can enhance the security since the test app is only available for the registered team members.
If the person with the Owner account has left the company, change the app owner, and then remove the team members from the app by clicking [Expel] on the Team Management page.
The app keys are issued for each platform when you create an app. The Kakao Platform verifies the API requests with the passed app key. In the case of the Admin key, you must use it only in the server-side (backend) not to be leaked since the admin key has all permissions.
If app keys are leaked, you can reissue the app keys with the Owner account of the app. Note that you cannot undo reissuing app keys and cannot use the old app keys.
Since an access token is used to make API calls, you must keep the access token secret not to be revealed. You also must use the refresh token on the server-side (backend) only.
We recommend using the allowed IP address function to prevent others from calling an API with the stolen access token just in case the access token is revealed.
To prevent Cross-Site Request Forgery (CSRF) attacks, you can use the state parameter when calling the Getting authorization code API. The state
value is used to verify the source of the request for the authorization code by passing the state
value to the redirect URI.
Pass a unique and random value for each login request through state
when a user requests to log in with Kakao. Then, check if the value matches the value passed to the redirect URI.
You must store the state
value somewhere that other third parties cannot access, such as sessions or cookies that are protected under identical resource policies. For more information, refer to RFC 6749 10.12.
To enhance security, you can request for login regardless of whether the user is authenticated by presenting the Kakao Account Login screen. For this, use the prompt parameter which is optional. Set prompt
to login
when requesting authorization code.
If you get an ID token through OpenID Connect, you can use the nonce
parameter when calling the Getting authorization code API to protect from ID token replay attacks. Pass a unique and random value through nonce
, which is used to be compared and verified when verifying ID token.
If your service only allows system calls approved through firewalls, add IP addresses of the Kakao API host used to call Kakao APIs, such as kauth.kakao.com
and kapi.kakao.com
.
If you use callback functions such as Unlink callback, Kakao Talk Channel callback, and Kakao Talk sharing success callback, allow IP addresses used by Kakao to send callbacks.
If you want to configure a preview page of your service before sending a Kakao Talk sharing message, add IP addresses used for scrapping request to allow your service to access the Kakao scrapping server.
To protect all sensitive data transmitted to or from the application layer, you must comply with the followings:
HTTPS
.For the redirect URI used to get an authorization code and tokens, you must use HTTPS
unless there is a special reason. Refer to RFC 6749 3.1.2.1
You must encrypt all sensitive data stored as a file or database.
You must not save the user's information received from Kakao in the system log.
If a user signs up through the signup process of your service, and the user is identical to one of Kakao Login users, you are required to map the user onto the existing user data by complying with the followings:
/v2/user/me
).Long
type. You must implement a mapping functionality by considering that the number length may vary in the range.To protect users' personal information and to securely use the functions provided by Kakao Developers, you must comply with the Operating Policy.
To keep users' personal information up to date, use Security Event Subscription providing users' security status changes.
Kakao services, including Kakao SDKs, provide security updates. To strengthen security, check the latest version of Kakao SDKs periodically and use the latest version if possible.
You must set consent items for the least data only required for your service, which a user will consent to when logging in.
To avoid phishing or misleading users into believing your app is provided by another service, you must register the app icon, app name, and company name that correspond to your actual service in Kakao Developers.
When you integrate Kakao Login into your service, comply with Design Guide so that users can recognize that they will sign up through Kakao Login.
We prohibit Kakao trademark infringement. You are prohibited from altering the app name, icon, and company name to something that may mislead users into believing that your service is a Kakao service or partner. For example, you must not add "for Kakao" to your app name or company name.
If your app's app keys are revealed, you can reissue the app key by clicking [Reissue] in [My Application] > [App Keys].
If you reissue app keys, you cannot undo and cannot use the old app key anymore. Thus, you must replace the old app keys applied in your service app or website with the new app keys to make Kakao API calls. Otherwise, your API request fails.
If you find any security vulnerabilities in Kakao services, you can report it through pf.security@kakaocorp.com
. If you have any inquiries about the methods or ideas to enhance security in your service using the Kakao platform, contact us through DevTalk.