Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Protecting YouTube v3 API key in a client-side application

I'm looking at the following guide: https://developers.google.com/youtube/v3/getting-started

The first step of interacting with YouTube's API is:

You need a Google Account to access the Google Developers Console, request an API key, and register your application.

And they continue on to show an example where they use the key:

URL: https://www.googleapis.com/youtube/v3/videos?id=7lCDEYXw3mM&key=YOUR_API_KEY &part=snippet,contentDetails,statistics,status

I have a client-side application which is used by many people. The application issues search requests to YouTube's API. YouTube's API has a request limit of 50 million requests per day.

Since it's a client-side application, my API key is embedded into the code.

Today, a malicious user scripted something to max out the requests: enter image description here

I'm wondering what recourse I have to be able to defend against this sort of activity. Is my only option to host a server, route all needs for YouTube's API through my server, and deny requests when they come too frequently?

I have real concerns about implementing something like that. It would effectively double the wait time for every API request and also tax the server a seemingly unnecessary amount, but perhaps it is needed.

Do I have any other options available to me?

Thanks

like image 668
Sean Anderson Avatar asked Sep 04 '14 04:09

Sean Anderson


1 Answers

Don't think it is a malicious user. I think something's wrong on YouTube's side, since I'm seeing exactly the same issue with API requests made from my app enter image description here

like image 155
cujo30227 Avatar answered Sep 28 '22 16:09

cujo30227