How to hide your API key
There are numerous API providers that require you to use a personal API key on the front end. Examples of such providers are Google Maps, YouTube, MailChimp, Paddle or PayPal.
Generally you don't want to expose those api keys at all. This includes
- Source code repositories
- On your frontend
- Within your team
Encrypting the API key
For the front end it is much harder to secure your API key. For the browser to send a request to the API it has to include the API key somehow. That means that at some time the API key has to be present in clear text. As all the front end code is open to inspect for everyone it is very easy to find that key and potentially use it for malicious purposes.
API keys are valuable
Nowadays this really imposes not only a security risk but also a financial risk. Bots are checking all commits of public GitHub repos immediately for API keys and forward them to fraudsters. Read what happened to Morganne Gagne when she committed her AWS S3 (Simple Storage Server) API key to her repo and was billed more than $7,000 in only one day!
Roll your own relay back end
When you run your own back end you can always write your own relay service that injects your api key. While this is a viable solution it increases your effort. But what if you have a front end application without a back end like a static site or if you use a CMS like Wordpress? You are out of luck hiding your API key!
Encrypt the key on the front end
There have been attempts to encrypt the API key on the front end but a quick search on stack overflow. Still this will never be a fully working solution as you will transmit the API key in plain text at some point.
How you can really hide your API key
Now there is an easy solution to this problem! Using hideAPIkey.com you store your secret API key in our database. Using our very own unique relay API we forward all your api parameters to the real API and inject the api key on the server. If you want to secure access to the relay api even more you can limit access to your hostname so nobody else can call it. This way your API key is never exposed to the front end and you can safely use any APIs without worrying about unexpected costs. hideAPIkey.com is even free for 24 hours!