Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to protect an API Key when using JavaScript?

Tags:

javascript

api-key

api

So, I'm developing a small application just for my own use and perhaps an open source project on Git. I'm using an API from Envato Marketplaces, and as you all know there are some operations that don't require any keys, but in the same time there are some that do require.

I first made a nice API wrapper for the Envato API in PHP, but then I decided to experiment a little bit with JavaScript, so I'm developing the same wrapper with JavaScript. So far I have no problems with the public operations, but I now have to use the API Key.

My question would be if there's a way to protect the API Key in JavaScript. I cannot just put it there in plain text as it can then be used by others who see the code. So would there be an implementation where the API remains secret ? Maybe grabbing it from a JSON text file with XHR ?

like image 995
Roland Avatar asked Jul 13 '12 12:07

Roland

People also ask

Is it safe to use API key in JavaScript?

In the real world, API keys shouldn't be stored in client-side JavaScript files. This simply isn't secure, especially if the API has a rate limit, charges for use, or provides access to sensitive information. If your API key is accessible directly in the source code, anyone can access it.

How do I protect API key from client side?

The only way to protect an API key is to keep the key only on the server. The client asks your server for some data and your server uses the API key to get the data from the API source and returns it back to the client. Anything you send to the client will be visible to any hacker.

Can someone steal my API key?

Security of API keys API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the project owner revokes or regenerates the key.

1 Answers

Short answer: No

What ever you do to obfuscate the key, you still have to send it to make it available on the client somehow, and therefore it will be possible to extract it using fx. Firebug.

Even if you devise an awesome magical way to keep the key secret, at some point you would have to make the actual API-request, and as it would have to be sent from the browser, an attacker would be able to read out the key in plain text from Firebugs net tab.

The right thing to do is to create a PHP wrapper around the API calls that require keys, and then call that wrapper from Javascript.

like image 149
AHM Avatar answered Sep 22 '22 02:09

AHM
Sign in to Comment

Related questions

Google Chrome won't let me place breakpoints
d3.js how to dynamically add nodes to a tree
Prevent Chrome from wrapping contents of joined <p> with a <span>
Trigger an event when user navigates away
Animating a line drawn between 2 elements without canvas, linking by ID's
Exclude module from webpack minification
importing a package in ES6: "Failed to resolve module specifier "vue""
Podcasts about JavaScript programming [closed]
Client only cookies - cookie which doesn't ever go to the server
Twitter bootstrap:Popovers are not showing up on first click but show up on second click
jQuery DataTable - Hide rows the intended way
Mocking JavaScript constructor with Sinon.JS
Print a pdf without visually opening it
Are there any recent Lua to JavaScript converters or interpreters somewhere? [closed]
add an onclick event to a div
Exit not only from child function but from whole parent function
progress notifications in ECMAScript Promise
overflow-y not working in safari inside a modal
Do I ever need explicit allowSyntheticDefaultImports if esModuleInterop is true configuring TypeScript transpilation?
Visual Studio Javascript extensions feature comparison

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!