Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How should I store API keys in a Python app?

In my case I'm using the Dropbox API. Currently I'm storing the key and secret in a JSON file, just so that I can gitignore it and keep it out of the Github repo, but obviously that's no better than having it in the code from a security standpoint. There have been lots of questions about protecting/obfuscating Python before (usually for commercial reasons) and the answer is always "Don't, Python's not meant for that."

Thus, I'm not looking for a way of protecting the code but just a solution that will let me distribute my app without disclosing my API details.

like image 960
lavelle Avatar asked Apr 27 '12 19:04

lavelle


3 Answers

Plain text. Any obfuscation attempt is futile if the code gets distributed.

like image 101
orlp Avatar answered Nov 07 '22 10:11

orlp


Don't know if this is feasible in your case. But you can access the API via a proxy that you host.

The requests from the Python APP go to the proxy and the proxy makes the requests to the Dropbox API and returns the response to the Python app. This way your api key will be at the proxy that you're hosting. The access to the proxy can be controlled by any means you prefer. (For example username and password )

like image 45
Can't Tell Avatar answered Nov 07 '22 12:11

Can't Tell


There are two ways depending on your scenario:

If you are developing a web application for end users, just host it in a way that your API key does not come to disclosure. So keeping it gitignored in a separate file and only upload it to your server should be fine (as long there is no breach to your server). Any obfuscation will not add any practical benefit, it will just give a false feeling of security.

If you are developing a framework/library for developers or a client application for end users, ask them to generate an API key on their own.

like image 26
schlamar Avatar answered Nov 07 '22 10:11

schlamar