0

I am using a javascript sdk provided to us at our office? We are required to use api_key assigned when we create our app. to make any api calls on server? eg.

Built.app(api_key)

How safe is it to make that api key clearly visible to client? Because using the same api key a user b can create and use this api key to create unnecessary objects!!

Improve this question
1
  • I am using a javascript sdk provided to us at our office? If you don't know, who knows? Commented Apr 29, 2015 at 17:51

1 Answer 1

Reset to default
2

No it is not safe. Anyone who downloads you page can clearly see your API key. They could copy this key and use it for themselves.

A safer approach is to keep the API key on your server and have your page make calls to your server which then uses the API key to make calls to the API.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Yes that was the doubt i had!! So how to do facebook and google handles such things when they provide js sdk to make login to facebook or google using the api key!!
I think this is the right answer, but, if I'm reading the OP correctly, it's not an option. It seems the SDK requires the API key, and, unless the SDK can run, e.g., on a node.js server, it may not be possible to keep the API key confined to the server. Seems like a bad SDK design to me.
I suspect that when you register for an API with google they associate the client secret key with the domain name you are using it on. Then when you make an API request they check the key is being used on a page served from a permitted domain.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.