Jump to content
Please Use CODE Tags

Handle API keys and using APIs in general.

mrchow19910319
By mrchow19910319
in Programming
 Share
Posted

I am making a website that makes HTTP request to youtube's server. 

And I have to generate an API key for that.

The project I am working only contains frontend, there's no backend to it. 

 

The 1st question I am asking is, is it really safe to store your API keys in your front end codebase? 

Like I pushed my project onto github, what if some random person went in and saw my API key and start using it? 

 

The 2nd question I wanna ask is: if let's say that my site went online, and thousands of people start to use my site, so many HTTP requests are being made all using that one API key, what happens then? 

Is the site gonna become really slow? Or will google ban that API key? If my site does blow up, how do I upscale my site to meet the request? 

 

The 3rd question is that, should I use a backend to store all of the API key? Just so that no one can mess with it.

 

Thanks in advance.

If it is not broken, let's fix till it is. 

Link to comment
https://linustechtips.com/topic/1007809-handle-api-keys-and-using-apis-in-general/
Share on other sites
Link to post
Share on other sites
Posted

If it's somewhat similar to other google API key you do have a maximum amount of request per month. I should be detailed where you have your key code.

 

As for source code obviously if the key is visible in the front end code someone can take it and use it for their own things. But realistically unless someone want to piss you off you shouldn't worry that much about it unless you buy an license key with more request limit (if their youtube api also has that limit)

Link to post
Share on other sites
Posted
  • Author
12 minutes ago, Franck said:

If it's somewhat similar to other google API key you do have a maximum amount of request per month. I should be detailed where you have your key code.

 

As for source code obviously if the key is visible in the front end code someone can take it and use it for their own things. But realistically unless someone want to piss you off you shouldn't worry that much about it unless you buy an license key with more request limit (if their youtube api also has that limit)

I see. Thanks!

If it is not broken, let's fix till it is. 

Link to post
Share on other sites
Posted
14 hours ago, mshaugh said:

You can add restrictions to your keys in the API console.

Can you limit by ip? 

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
Posted

I'm not sure that's going to work seeing as the request will come from the user and not the web server.

 

It's a tough one to solve, one solution is to make a sort of proxy that takes a users request, generates a request to YouTube and returns the data.

 

I've done this at work to allow front ends to connect to our lambdas so they don't get any api keys

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
Posted
  • Author
55 minutes ago, vorticalbox said:

I'm not sure that's going to work seeing as the request will come from the user and not the web server.

 

It's a tough one to solve, one solution is to make a sort of proxy that takes a users request, generates a request to YouTube and returns the data.

 

I've done this at work to allow front ends to connect to our lambdas so they don't get any api keys

I think that I am gonna follow this guide.

 

 

If it is not broken, let's fix till it is. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programming

×