Reputation: 21
Is there a secure way to pass API keys to an oracle in Chainlink?
I'm writing a contract (function code below) that pulls data from an API via the Chainlink GET function. I have read that Provable (Oraclize) has an option to encrypt API request parameters. Does Chainlink offer anything similar? I've been googling a lot, but haven't been able to find anything helpful so far. I'd really like to avoid sending my API key on a public chain for obvious reasons.
function requestVolumeData(string memory apiurl, string memory jsonpath) public returns (bytes32 requestId)
{
Chainlink.Request memory request = buildChainlinkRequest(jobId, address(this), this.fulfill.selector);
// Set the URL to perform the GET request on
request.add("get", apiurl);
request.add("path", jsonpath);
// Multiply the result by 1000000000000000000 to remove decimals
int timesAmount = 10**18;
request.addInt("times", timesAmount);
// Sends the request
return sendChainlinkRequestTo(oracle, request, fee);
}
Upvotes: 2
Views: 563
Answers (2)
Reputation: 56
The only safe way to do this is with confidential computing. That's what we do at Verifiably.
I'm guessing Chainlink will eventually add this capability. I'm not sure why they didn't do this after their Town Crier acquisition, seemed like the natural thing to do.
Upvotes: 1
Reputation: 6131
Ideally, you'd not want to put your API keys on-chain at all, but here are your options for working with sensitive data with a Chainlink oracle.
1. Pass your API key to a node operator
This of course, this a trusted operation since you'll have to trust the node operator with your key. However, this will prevent the world from seeing your key, and the node operator can just use it on the backend.
2. Encrypt your key before you use it
You'll will still need to give the Chainlink node operators a way to decrypt the data on the back end, and this is considered less safe because you're still giving people a way to access your data, and you're putting it on-chain.
3. Make a protected API that can only be called by node operators.
So you'd run an API that wraps around another API.
4. DECO (not live yet)
There are plans to have DECO come out at some time which will help keep private data safe even from Chainlink node operators.
Upvotes: 2
Related Questions
- How to get oracle id for chainlink api call?
- authorization for chainlink node v2 api
- Securing a service's secret
- Is there a simpler way to get decentralized data from Chainlink than doing separate multiple API calls through nodes?
- Can you develop an independent, secure oracle for your dApp?
- Chainlink oracles on testnet
- Decentralized API calls using multiple Chainlink oracles in solidity
- Oracle Apiary - securing access to Mock APIs
- use PL/SQL API through two databaselinks
- Remote DataBase Links