How to protect an API Key when using JavaScript?

by

Short answer: No

What ever you do to obfuscate the key, you still have to send it to make it available on the client somehow, and therefore it will be possible to extract it using fx. Firebug.

Even if you devise an awesome magical way to keep the key secret, at some point you would have to make the actual API-request, and as it would have to be sent from the browser, an attacker would be able to read out the key in plain text from Firebugs net tab.

The right thing to do is to create a PHP wrapper around the API calls that require keys, and then call that wrapper from Javascript.

More Related Contents:

  1. How to Logout of an Application Where I Used OAuth2 To Login With Google?
  2. How to detect when a youtube video finishes playing?
  3. What’s the API Key for in Google Maps API V3?
  4. What do the brackets around the arguments mean when reading documentation for a method? [duplicate]
  5. What is the difference between post api call and form submission with post method?
  6. Has Facebook sharer.php changed to no longer accept detailed parameters?
  7. Google maps saving draggable directions
  8. AngularJs and Facebook Comments
  9. Dynamic Adsense Insertion With JavaScript
  10. Is there any way to get Firebase Auth User UID?
  11. Using setInterval() with a .map method in array and returning as a promise
  12. YouTube iFrame API “setPlaybackQuality” or “suggestedQuality” not working
  13. how Postman send requests? ajax, same origin policy
  14. How can I tell if Google’s Streetview Image API Returns “Sorry, we have no imagery here” (ie. NULL) Result?
  15. How to extract url data from Reddit API using JSON
  16. Spotify Apps API: any more documentation?
  17. MediaElementAudioSource outputs zeroes due to CORS access restrictions
  18. Intercept the same API call multiple times in Cypress
  19. Cloud Functions for Firebase trigger on time?
  20. What does ‘var that = this;’ mean in JavaScript?
  21. Validation of file extension before uploading file
  22. Download JSON object as a file from browser
  23. Obtain form input fields using jQuery?
  24. setInterval timing slowly drifts away from staying accurate
  25. Native JS equivalent to jQuery delegation
  26. How can I create numbered map markers in Google Maps V3?
  27. browserify error /usr/bin/env: node: No such file or directory
  28. Hide certain values in output from JSON.stringify()
  29. Google Adwords CSP (content security policy) img-src
  30. Replacing selected text in the textarea

Leave a Comment