Reputation: 41
Security concerns about the use of client-side API_KEY
I'm new using getstream-io and currently in the first steps of the development of chat using getstream using the React API.
As per documentation I see that for intialize a chat client we need to create a StreamChat using:
const client = new StreamChat(MY_API_KEY);
// example: const client = new StreamChat("qk4nn7rpcn75");
I'm thinking if it's safe in terms of security to bring this API_KEY available in the UI-browser because this apikey could be took from browser and reuse without any restrictions.
The question is, it's safe to let this API_KEY available in the UI-browser?
Thanks.
Upvotes: 1
Views: 131
Answers (1)
Reputation: 3978
It's safe and actually it will be passed as a query parameter in each request for easier visibility in logs. To better understand, you can think key as your user name and secret as your password.
In this mode (client-side auth), client isn't functional yet, you will need to set a user token signed by your secret. However, revealing that token or your secret isn't secure:
token: your user can be impersonatedsecret: anything is possible
Upvotes: 2
Related Questions
- How to protect an API Key when using JavaScript?
- getstream: is it safe to expose the API key to the public?
- Client Only and Tokens?
- api-key for client-server communication and security
- how safe is it to use api key in client side javascript file?it can be easily use to create objects on my app using this api key?
- Securing API Keys on clients (JavaScript, Android, iOS, etc.)
- Keep client's API Secret in browser and access it by JS
- Protecting API Key in a JS application
- API key security in Javascript?
- How to keep API keys secret when using client side Javascript?