Reputation: 771
How to solve API key is visible on request URL problem?
I've hide my API key inside .env file in my React app. And I used it through process.env. But When I go to network tab in developers tool of google chrome and check requests there I can see my API key present in the request URL. Therefore my API key is not secured. Anyone will able to get my API key. How can I hide my API from that place as well?
Upvotes: 4
Views: 6688
Answers (3)
Reputation: 2832
There is no way to hide the key on the client-side.
My suggestions:
- Do this call from your back-end, and expose it to your front-end
- Add API HTTP referrer restrictions instead. Only requests from your domain make the call in (1)
Upvotes: 8
Reputation: 54
Unsure if this is a service you're building or one your consuming. If you are in control of the service then you can change from using a query param through to an authorization header. When the service is live as long as you are using SSL then the header would be encrypted and the key would not be exposed to those snooping.
Upvotes: 1
Reputation: 1395
If you want to keep your API key private, don't use it in front end. Just keep it in back end and, first send request to backend and, then from back end, send request to that API server
Upvotes: 2
Related Questions
- How do I hide my API key in script.js file using dotenv
- How to Hide an API Key in Client-Side Javascript
- How to protect an API Key when using JavaScript?
- Getting API authentication key error with PublicAPI
- API Key returning undefined react
- Where to "hide" an API key
- API key not defined?
- Trying to hide my API key breaks my URL. Anyone know why?
- Protecting API Key in a JS application
- API key security in Javascript?