How to hide the API key in my Electron application?

Question

I'm building an Electron application that uses Google's YouTube Data API v3. For accessing the API, I decided to use the standard API key (instead of OAuth, since I am not going to be accessing any personal data).

But the problem is, I cannot hide the API key in my app, and I also cannot use referrer restrictions (referrer restrictions allow you to filter which web sites can use your API key (by HTTP address)), since this is an Electron app. So basically, if someone looks at the source code (or even just at the developer tools), they can see the key, and use it freely.

Any advice on what to do? Thanks.

Answer 1

The only way to secure your API key for an application that does not require users to register or log in, is to place it behind a server proxy. So, when they start the app, the app reaches out to your server, the server then returns the API key so it only resides in the app in dynamic form, it is never visible to users.

However, this is still insecure if they use a packet sniffer or local proxy they can grab your token.

The most secure way to do this is to make all your API requests from a private server that your app has access to. So, the app makes no requests to Youtube, it only gets the data from your server.

Then, you can secure your app by signing API requests to your private server with a private key. For example, you could have a config file in the app with a private key that is sent in the header of every API request. Then, they only way to get your key would be to decompile your app, and then access that config file, then make API requests to your private server using the same private information. Then, to prevent malicious users, you can monitor traffic and set up request limits, like 1 request per second per app. Any app exceeding that limit could be black-listed as a DDOS attack or a malicious user.

The data flow would look something like this.

    App -> Server (with Api Key) -> youtube (data) -> Server (data) -> App