As per this blog post, Google Apps Script does not support CORS (cross origin resource sharing) to allow access from cross domain client apps. The API uses JSONP for GET requests to get over this, but POST requests would need CORS to be implemented (or use a proxy). Because of this, I have not released oAuth2 support yet (although it is implemented in scriptDB API for JavaScript). 

If you need to do POSTS using the API, the handler webapp needs to be set to ‘anyone, even anonymous’ for now until this issue is resolved or I figure out a workaround. You can protect from writing by using the method described in setting up GAS API for handler. This describes how you can create multiple handlers which allow different kinds of operations. Specifically then, you could set permissions on a readonly handler how you want, limit the operations it could perform, and distribute it to anyone who needed readonly access, whilst also protecting it with Google Sharing permissions. Another handler, whose url you would not distribute widely, would allow writing, but would need its permissions to be ‘anyone, even anonymous’. This is not ideal, but is ok to get started I guess.

Additional keys passed as headers

As described in A VBA API for – nosql database for VBA and – noSQL database for GAS there are additional keys that can be passed as headers that can be used for further protection in the request headers, but in another quirk of GAS fate, UrlFetch() cannot access any headers passed to it. I hope this will be resolved in the future too.

Setting up a PC for access

Just as  A VBA API for scriptDB uses the registry to store authentication keys and urls, so does scriptDB API for JavaScript use cookies. These only need to be created once, and are created like this. This example shows a one time registration to a readonly handler to a scriptDB associated with the library scriptDBPrimer. Once the pc is registered there is no need to do this again.
var gasHandlerEndPoints = {
    scriptdbreadhandler :  "" } ;

function firstTimeReadonly() {
    // read access to scriptDBPrimer database, no oAuth required - uses scriptDBreadhandler
    new cScriptDbCom().setScriptCredentials( {
        endPoint : gasHandlerEndPoints.scriptdbreadhandler,
        restAPIKey : 'xliberationApp',
        scopeEntry : 'rest',
        credentialsEntry: 'primer',
        library: 'scriptDBPrimer',
        needDebug: false,
        needOauth: false } );

From now on this particular entry can be accessed using

var dbCustomer = getScriptDb("VBAParseCustomers","primer");

and the permissable operations will be those allowed by the GAS handler to which it refers.

For help and more information join our forum, follow the blog or follow me on Twitter