I use a JS script to show the number of visitors currently on the site. The problem is that the token is there for everyone to see.
It seems to me like anyone would be able to get that piece of JS and use it to access my piwki statistics, seeing the number of users, IPs and so on.
Is there a way to avoid that, maybe make requests to piwik only available to scripts on my domain?
or even better is there a widget or a way for me to export, from inside piwik, an xml (with the latest visits for example)? So then only that information would be publicly available and I wouldn’t have to include the token in the JS
You can use the API maybe: http://piwik.org/docs/analytics-api/reference/ ?
Use the API to what exactly? I am already using it. to export the visits data via XML but I use JS to access it and that exposes my token.
bump