Just a little heads up for people in terms of privacy. If you use the built-in helper to place your bets, your API key is sent to the owner of the manifolo service. I’ve glanced over the source code, and it does not seem to be stored anywhere. It’s mainly routed through the backend for easier integration with an SDK and some logging purposes (as far as I can tell). However, there aren’t really any strong guarantees that the source code publicly available is in fact the source code running on the URL.
I have no reason to doubt this, but in theory your API key might be stored and could be misused at a later date. For example, a holder of many API keys could place multiple bets quickly from many different users to steer a market or make a quick profit before anyone realizes.
I don’t think there is any technical reason why the communication with the manifold APIs couldn’t just happen on the frontend, so it might be worth looking into?
In general one should be very careful about pasting in API keys anywhere you don’t trust. Seems like the key for manifold gives the holder very wide permissions on your account.
Again, I have no reason to suspect that there is anything sinister going on here, but I think it’s worth pointing out nevertheless!
Thanks for posting the source code as well! Personally I did use my API key while testing and I do trust the author :)
I don’t think there is any technical reason why the communication with the manifold APIs couldn’t just happen on the frontend, so it might be worth looking into?
I tried to do this initially but it was blocked by Manifold’s CORS policy. I was trying to keep everything in the frontend but this and the call to fetch the authenticated user both require going via a server unfortunately.
Also something else to note in terms of privacy: I log the username and the amount when someone places a bet.
It doesn’t need the API key at all to calculate the recommended amount, so for people concerned about this you can just paste the amount into Manifold
This is a neat tool!
Just a little heads up for people in terms of privacy. If you use the built-in helper to place your bets, your API key is sent to the owner of the manifolo service. I’ve glanced over the source code, and it does not seem to be stored anywhere. It’s mainly routed through the backend for easier integration with an SDK and some logging purposes (as far as I can tell). However, there aren’t really any strong guarantees that the source code publicly available is in fact the source code running on the URL.
I have no reason to doubt this, but in theory your API key might be stored and could be misused at a later date. For example, a holder of many API keys could place multiple bets quickly from many different users to steer a market or make a quick profit before anyone realizes.
I don’t think there is any technical reason why the communication with the manifold APIs couldn’t just happen on the frontend, so it might be worth looking into?
In general one should be very careful about pasting in API keys anywhere you don’t trust. Seems like the key for manifold gives the holder very wide permissions on your account.
Again, I have no reason to suspect that there is anything sinister going on here, but I think it’s worth pointing out nevertheless!
Thanks for posting the source code as well! Personally I did use my API key while testing and I do trust the author :)
Good point, this is worth considering :)
I tried to do this initially but it was blocked by Manifold’s CORS policy. I was trying to keep everything in the frontend but this and the call to fetch the authenticated user both require going via a server unfortunately.
Also something else to note in terms of privacy: I log the username and the amount when someone places a bet.
It doesn’t need the API key at all to calculate the recommended amount, so for people concerned about this you can just paste the amount into Manifold
Ah, yes, the CORS policy would be an obstacle. It might be possible to contact them and ask to be added to the list.