Reputation: 65
Where to "hide" an API key
My question is about where and how to:
- hide an API key
- access the hidden API key in my app.js file
In this case I am dealing with an Algolia Admin API Key (but aiming to ask this question in a fairly generic way).
In order for my app to work, based on certain user actions I need to update my Algolia index (which requires an Admin API Key in order to do).
I understand that I am not supposed to expose my Admin API Key to the front-end (i.e. don’t put it in my app.js file). How can I securely pass my API Admin Key to my app.js file, so that I can make updates to my Algolia index?
Some things I've come across:
-Should I hide it in a config.json file? I can't figure out how use information exported from a config file in my js (which maybe would defeat the purpose anyways?). I read this
-Also on the Firestore docs it mentions, in reference to working with Algolia, that "App ID and API Key are stored in functions config variables". How do I store my API key in config variables?
-I read this about using environment variables, and exporting them to the app.js file. But if I then push the app-env file to the server (which I assume I'll need to in order for the app.js file to read the API key) how is that more secure than just putting it in the file?
Upvotes: 4
Views: 6614
Answers (3)
Reputation: 1097
Private Server
- We can hide an API key/secret, here, for example, Algolia Admin API Key by creating a separate private server.
- The private server can be kept private to yourself or the development team.
- We can send an API request to the private server.
- And the app/website will use the API key/secret and perform the necessary actions.
- Later, send only the necessary data back to the app/website as the response.
- This way the API is hidden from the user.
This approach provides a layer of abstraction over the API key/secret as well as the functionalities which uses the API key/secret are associated with the logic
Upvotes: 0
Reputation: 65
After doing a bit more research this is what I've decided.
I need to create a separate .js file that contains the Admin API Key and the function that listens for changes in my database, and makes the appropriate updates to Algolia (that's pretty obvious).
Next I need to get that file to run. I believe I have two options:
Run the file locally. This is secure because the file is not being served anywhere beyond my local machine. The main drawback here is that I'd basically have to keep the file open all the time, which would quickly become impractical in production.
Host my file somewhere like Heroku, Nodejitsu, so that it can run perpetually on their server.
Upvotes: 2
Reputation: 943163
You cannot give the key to the client, through any mechanism, and keep it secret.
Build a web service (in your server-side language of choice, with whatever authentication is appropriate) and write your own API to allow a limited selection of actions to be performed. Your web service then acts as a client to Algolia.
Upvotes: 6
Related Questions
- How to Hide an API Key in Client-Side Javascript
- How can I hide my API key stored within JavaScript?
- How to hide client side api keys?
- Hiding API keys in JS setup
- Hiding an api key, php
- Hide an API key from the client side
- JS / jQUERY - To make variable which contains API key invisible in the JS code
- OAuth: How to hide API Secret Key from javascript
- Protecting API Key in a JS application
- javascript hide code for secret keys etc