Question regarding visible serverUrl & appID


I have a question regarding the first point of the faq:

If my appId and serverUrl are publicly visible and I am charged for the requests, can’t someone just steal my serverUrl and appId and make me pay for his/her requests?


On what requests are you referring?
You can set rate limit in cloud code for how web3api from cloud code can be restricted.

Hi, can I also limit the access to a server to domains?

No, you can not do that. And it will not help you as that domain can be set by anyone in a http request to any value

Okay, so basically anyone who has my server_url and app_id can send requests via the web3API on my account? And if I use it in the Moralis Provider in next.js it is visible to anyone? And if someone decides to do this, they can in theory just ramp up my request and I have to pay for it? I’m less worried about the data access, than about possible costs incurred.

when you set the rate limit in cloud code, someone can not make more requests than it is in that rate limit from the same IP.

1 Like

Still, I’m curious now.
I am building a WordPress plugin and looked at some code of other plugins.
I have from one plugin the Moralis serverUrl and appID.
Does this mean now that I can use his database and collect all the user data?

You can not access all the user data from that database. Every user row has an ACL so that only current user can read the data from that row.