lavelle
lavelle

Reputation: 1556

How should I store API keys in a Python app?

In my case I'm using the Dropbox API. Currently I'm storing the key and secret in a JSON file, just so that I can gitignore it and keep it out of the Github repo, but obviously that's no better than having it in the code from a security standpoint. There have been lots of questions about protecting/obfuscating Python before (usually for commercial reasons) and the answer is always "Don't, Python's not meant for that."

Thus, I'm not looking for a way of protecting the code but just a solution that will let me distribute my app without disclosing my API details.

Upvotes: 8

Views: 7172

Answers (3)

schlamar
schlamar

Reputation: 9511

There are two ways depending on your scenario:

If you are developing a web application for end users, just host it in a way that your API key does not come to disclosure. So keeping it gitignored in a separate file and only upload it to your server should be fine (as long there is no breach to your server). Any obfuscation will not add any practical benefit, it will just give a false feeling of security.

If you are developing a framework/library for developers or a client application for end users, ask them to generate an API key on their own.

Upvotes: 2

Can't Tell
Can't Tell

Reputation: 13466

Don't know if this is feasible in your case. But you can access the API via a proxy that you host.

The requests from the Python APP go to the proxy and the proxy makes the requests to the Dropbox API and returns the response to the Python app. This way your api key will be at the proxy that you're hosting. The access to the proxy can be controlled by any means you prefer. (For example username and password )

Upvotes: 2

orlp
orlp

Reputation: 117771

Plain text. Any obfuscation attempt is futile if the code gets distributed.

Upvotes: 3

Related Questions