boundaries-io
Verified
✓
By
Boundaries-io |
Updated 9日前 |
Mapping
Popularity
9.8 / 10
Latency
203ms
Service Level
100%
Health Check
N/A
Back to All Discussions
API KEY VISIBILITY
homeown
5年前
Hi,
My apology in advance if question is retarded, but if I make API Call clientside (JS) , isn’t my API KEY visible to all on page source, therefore usable to anyone since there no other means of enforcement ?
If it is a viable concern is there a trade off to serverside alternative beyond performance (xfer response dataset to client ) and if so any advice to improve/offset?
thanks and sorry if question silly b/c I’m missing something basic
Join in the discussion - add comment below:
Login / Signup to post new comments
A common solution is to use a server-side proxy to hide the API key. This helps protect your key from being exposed on the website’s source code. If you need more computing time or are looking to improve performance, you can use time calculator to compare performance between options. Good luck!
When making API calls from the client side (JS), the API key can become visible in the website source code and can be used by anyone. This is an important security issue. Moving to the server side can help solve this problem, although it may impact performance. There are several ways to improve and compensate for the move to server-side with angel numbers, but the most important is to keep your API keys secure.
thank you for responding!
This may help you. http://billpatrianakos.me/blog/2016/02/15/securing-api-keys-in-a-javascript-single-page-app/
I’m guessing if clientside script contains API key it can still be considered protected as it runs under my domain name (others trying to utilize should not be allowed with same API key given that reason) - but then again I haven’t signed up yet so don’t know if that’s part of the account setup/config, so can you elaborate on this - how do I know others don’t use my key to make calls at my quota’s expense?
dumb question, but still…