Menu
I'm using Supabase for a new Sveltekit app, with this template
Currently, I'm passing the Supabase keys through on the client side, like this:
const supabase = createClient(
import.meta.env.VITE_SUPABASE_URL,
import.meta.env.VITE_SUPABASE_ANON_KEY
)
What is the simplest way that I can create a secure backend/API, so the application can fetch content from Supabase, without showing Supabase key on the client side?
Is there any functionality built into Sveltekit that enables me to do this? Or would I need to integrate a backend like Rails?
335
The only way to protect an API key is to keep the key only on the server. The client asks your server for some data and your server uses the API key to get the data from the API source and returns it back to the client. Anything you send to the client will be visible to any hacker.
There is only one reliable way: use HTTPs for your web site to allow the users to retrieve the key. Then during the API calls HTTPS is no longer required. Your users can use HMAC authentication to hash the key with a shared secret.
SvelteKit supports server-side code in two main places:
Code for these will never be accessible to the browser; only the results. Also any network calls made will not be visible to the client since they all happen on the server (for cases where API keys are embedded in the URL). The locals property of each API is a good place to share sensitive data (like API keys) with all the server-side parts.
The general recommendation is to proxy external API calls with local endpoints:
load() in <script context="module"> (allows calling API's from server-side before page is sent/rendered)<script>
Notes:
fetch() is recommended (vs axios, for example), especially within load(). load() provides a special version of fetch() that caches calls from the server-side so the client-side can reuse the results.
175
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
