Reputation: 1886
What to do with unique API keys in JavaScript?
I am new to web javascript development and playing around with apps and scripts for some of the public API's around the web. When a site issues you a unique key to identify your application you code that into your script so you can access the sites API but then anyone who can visit your site can also inspect the source of your JavaScipt so they could see/take/use your API key.
While there's no direct security issue for your own site here, doesn't it mean that anyone else could take my API key and use it for their own app which is completely different? How does one go about making this secure or storing it in a secure way?
What is the best practice in this regard?
Upvotes: 2
Views: 479
Answers (3)
Reputation: 14327
APIs typically offer domain authentication as an alternative to an API secret, for when the API needs to be called from client-side code.
Upvotes: 3
Reputation: 14899
Usually these KEYS are mapped to a domain. So another person's domain will not be able to use your key.
Upvotes: 2
Reputation: 2477
Generally API keys are tied to a domain. So even if someone tries to use your key it won't work on any domain but the one for the site it was issued for.
Upvotes: 3
Related Questions
- How to protect an API Key when using JavaScript?
- Best practice when using an API key in Node.js
- How to protect API keys in PWA (Progressive Web Application)
- How do I protect my API keys in my React App?
- Avoiding duplication of key/data
- Securing API Keys on clients (JavaScript, Android, iOS, etc.)
- Protecting API Key in a JS application
- API key security in Javascript?
- How to keep API keys secret when using client side Javascript?
- Hiding unique API keys in webOS (Enyo/JavaScript)