Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
C0D44565227dApi keys shouldn't be part of your code base - especially if it's open sourced.
Keep them outside, like a database, another repo ( environment config ) or hell drag them out of a json file in a private AWS S3 bucket.
sbiewald261927dLet's say you make a weather app.
Let's say you get your weather data from some third party by using a REST-API. To protect their servers, you have to submit an API key for every request.
To prevent the leak of this API key (it's rate limited so you only have 50'000 requests/day, too!) you must not include it in your app! Instead the users will connect to your servers, which does the request to the third party server (and e.g. caches results etc.).
Even in your server's code, the API key is not directly encoded, rather it is passed the environment, e.g. as environment variable to your code. This prevents the API key being in your version control.
For the authentication app <-> your servers, different methods are common: Usually the user logs in regularly (e.g. Username + Password, Google or Apple SSO) and gets back an API key for _his_ user account on _your_ service. The key for your server can be stores on the user's device, in a read protected area (which you cannot access from other apps).
In this casd, your services verifies the user's API key, and makes a request to the third party weather API with the server's API key.
M1sf3t189527dok but what about all of these demo apps that tell to your make a file in your src directory for axios and have you put the key for some random third party site in there. that's client side or no? I missed the part explaining the finer points of public and src somewhere.
HarryPearson31How I protect my source code from prying eyes of colleagues.
pseudoaj1Worst coding mistake: forget to remove print statement that prints user authentication details.
delegate2128We have a portal which uses Windows Integrated auth that lists out all off our internal sites. Navigating to...