2

I am new to JavaScript.

The help I wanted was to understand how to protect API Key used to access my Restful web services.

I am accessing some Restful web services using API keys and I want those API keys to be protected. As when I put API keys in Controllers they will be visible to users since Javascript code can be seen by the end user.

Is there anyway that I can register these as some variables and use in Controllers where end user who view the Javascript code cannot see API Key?

Thanks in advance!

Improve this question
2
  • 1
    No, you can't. Even if you somehow obfuscate your JS, the keys will still be visible in the request itself. Commented Jan 2, 2013 at 0:18
  • 2
    Note that some APIs, such as Google's, allow you to set valid referrers for the API key. The key will only work if the request comes from that referrer. It is not exactly key protection, but it does prevent a stolen key from being used on another web site. Commented Jan 2, 2013 at 2:20

3 Answers 3

Reset to default
5

if you need to protect anything do it on the server. You can proxy api calls on the server for instance, but there's no way you can protect anything with client side javascript code.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Can you please explain a little about how to proxy the API calls or direct me to a sample?
If the [server Proxy] requests an http request from the [API Server] there is packet data that is sent across the net. I guess SSL scrambles that to stop anyone looking at the data from seeing a plain text key for example. Also it is harder to do that kind of thing Vs looking in the developer tools of a JS webpage or App. There is also a difference between a set of files that are downloaded and run from a server (a webpage or live mobile app) and a set of files downloaded into a mobile app filespace like native app. What do request look like if they come from a native ap, Can limit to domain
3

You are absolutely confused.

You are trying to achieve security by obscurity. Everything that is on the client is transparently hackable.

The user should only be allowed to access a resource after a successful authentication and authorization. Period.

So you must store your API keys on the server if they are supposed to be secret (like provided by Facebook, ...)

(btw: remove the angularjs tag).

Improve this answer

Comments

-2

I am using AngularJS together with PlayFramework and seems like I can solve the issue as external web servcies/API's are accessed through Play controllers where controller methods are accessed by AngularJS model with

jsRouter.controllers.Application.tasks().ajax

So, the external API keys doesn't have to be in AngujarJS models.

Thanks all for help.

Improve this answer

1 Comment

But that doesn't really solve the problem. The danger of having an API keys exposed in your client side app, is that some user might use it to make illegal requests. They can still do that, by calling your Play controllers, just like you do in Angular.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.