How should I access a third party API which requires a key?
-
16-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am accessing a third-party API. It requires a key, which is the same key for all of my users. Currently, my application includes that key in the client-side code, and calls the third party API directly. So any user can decompile my code, and get the key tied to my application. (Bad, right?)
I am guessing that I need to have a server between the client and third-party. And the client makes a request to the server, which has the key. The server then makes the request to the third party, and returns the results to the client. Is this the right approach?
If this is the correct approach, would I build the server and run it on AWS? Or do third-party tools for this use already exist? (I saw AWS Gateway, but that appeared to be about building APIs, not accessing them.) How should I have a user access the third party, without giving them the secret key which is shared among all users?
Solution
Popular services like Google use API key(s). This key should be protected as this is what is used to track your usage against the service. Many services are volume based and will charge appropriately based on usage.
Typically, these services are accessed via a server side component.
Client -> Your Service (API Key) -> Calls External Service
Then the client knows nothing about the key.
OTHER TIPS
Well, yes. If you don't want your users to be able to use the 3rd-party API on their own terms, then you have to proxy the access to that API and introduce a different kind of authentication between your users and the proxy.
It's always a good idea to reflect whether that is actually what you need to do, though. Why do you care whether your users use that API from within or without your app? Have you signed an agreement that you'll only let your registered users have that key? (Then this may be necessary to demonstrate good-faith efforts for compliance.) Are you concerned that users might overuse the API? That can be a valid reason, but of course then you have to add rate-limiting to your proxy rather than simply passing all authenticated requests on.
