Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to hide/secure API keys in an Angular 2 client side application?

Tags:

angular

I am developing an Angular 2 application. I am making several API calls from my service, but I don't want to publish the keys.

I know that using the keys from the backend is the preferred method, but surely there must be a way to do this from the frontend.

I have been researching how to effectively hide the API keys in the frontend, but have not found any well-explained resources on how to do so.

What is the best way to do this?

like image 868
universesurfer Avatar asked May 22 '17 18:05

universesurfer

People also ask

How do I protect API key from client side?

The only way to protect an API key is to keep the key only on the server. The client asks your server for some data and your server uses the API key to get the data from the API source and returns it back to the client. Anything you send to the client will be visible to any hacker.

How do I hide frontend API keys?

It is often recommended to use serverless functions to hide API keys for client side applications. Then the client can use this serverless function as a proxy to call the API through a new endpoint.

1 Answers

Well, the truth is that anything sent down to the client, including info used in HTTP calls, can be reverse engineered. Having an API key in a URL will by its own nature not be able to be obscured. The only true way to hide this completely from the client is to keep it on the backend, as you've mentioned. The most you can do is make it difficult to trace, like providing it encrypted in an environment variable and having your app decrypt it before sending, but it's still going to be in the HTTP call in plain text.

The good news is that the APIs you've mentioned in your comments are public APIs, so there is really no need to hide them. The information they provide is public to begin with, and if anyone really wanted an API key they could just sign up for one. The keys are mostly used by the services themselves to track usage (so stealing it would have no benefit, as usage would just increase and run out more quickly). If you do end up buying one and the service does not offer obfuscation methods themselves (i.e. session tracking / cookies), you'd have to mitigate it through your backend.

Your head is in the right place, but in this case it doesn't seem like a necessary step.

like image 176
joh04667 Avatar answered Oct 19 '22 06:10

joh04667
Sign in to Comment

Related questions

Angular2 with ASP.NET 5 [closed]
How to make Angular 2 send all requests as application/x-www-form-urlencoded
Angular2 loading dynamic content/html in for loop
angular2: including thirdparty js scripts in component [duplicate]
Angular2 - OnInit : Values returned from Service' subscribe function does not get assigned to Component field/s
Angular 2: Reduce app size (in addition to bundling/minification)
TypeScript type definitions for ServiceWorker
LeafletJS not loading all tiles until moving map
Angular2 RC5 forces one to move component imports to NgModule declaration - Why?
Load existing components dynamically Angular 2 Final Release
How can I pass an argument to a provider constructor in Ionic2 / Angular2?
angular-cli: Conditional Imports using an environment variable
how to setvalue in formbuilder array
How to ignore an entity field in TypeScript when sending a JSON to a Web Service?
Access Control Allow Origin issue in Angular 2
is there any difference between import { Observable } from 'rxjs/Observable' and import { Observable } from 'rxjs'?
Cannot read property 'touched' of undefined
Angular 2 (Angular-cli) : Uncaught ReferenceError: google is not defined
How to include custom styles with Angular CLI
Where can I find the Angular 2 CDN or source code?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!