Authenticated, read-only access to GitHub's API from Javascript

Question

I'd like to embed some of my code on GitHub into my blog. The best way I've found so far for this is to use http://www.jamesward.com/2012/06/15/dynamically-rendering-github-files-in-web-pages (with a small modification to fix the base64 decoding) and then do some custom syntax highlighting on it.

However, without authentication, this is subject to a 60 request/hour rate limit enforced by GitHub. It's not clear to me how authentication could work in this case -- since any auth token I might use will need to be part of the JavaScript on my blog, so it will basically be public...

And also, even if I could somehow authenticate this usage (by perhaps connecting my Origin domain with my GitHub user account?), won't that mean that all readers of my blog will count against this shared rate limit, vs. the unauthenticated case where every reader is counted against his own 60/hour limit?

Answer 1

To answer the second question first -- yes, that is what would happen. When authenticated - you have a single quota shared between users. When unauthenticated - the quotas are "distributed" between users (based on IP address, I guess).

Regarding authenticated communication with GitHub's API from JavaScript -- yes, you would have to put the token (or username and password) into your script and make it public. Which you obviously do not want to do. The way you are "expected" to solve this problem is to have a server side. The JavaScript executing in the browser would communicate with your server (for which there is no rate limit and you can secure it however you want), and the server would communicate with GitHub's API and return the results to your JS script. Since nobody can see into your server's code, the credentials for authenticating are not public.