Ajax to API without exposing KEY
https://stackoverflow.com/questions/9312883
-
30-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm pretty sure the answer of what I'm going to ask is NO but maybe someone can give me a different idea so I'm asking anyway.
I'm developing a control panel that fetches information form a 3rd party webservice via an API call. I could make a call with AJAX which return the result in milliseconds on the browser, but I would be exposing the API Key of this service. Even though this is an intranet with restricted access, an employee could sniff around and get the Private API Key with only watching Safari's activity window for example. The employees are trustworthy but I don't want to risk my development security on just trusting.
What I'm doing now is AJAXing a php which makes the call with a CURL call but it takes around 2 or 3 seconds to do so: not the php itself, the shared hosting going to the 3rd party server and back.
Is there a way to make the browser do the request directly to the API without exposing the Private Key? I think that by definition it's impossible but I'm sharing the scenario so maybe somebody has a better idea (I'm trying to avoid cache because the information fetched changes by the second)
Not being the issue I have a doubt related to this: If I do the API call through CURL on Mac OS Terminal or in a local Apache it takes like 12 seconds every time to get the result but a browser in the exact same computer and connection gets it in milliseconds. I'm not very familiar with how CURL works internally but either CURL is a slow mechanism or is not working good in my Mac.
Thanks
Solution
No, since the javascript code is sent to and run ON the client's machine, there's is no way to NOT expose the API key in some manner. Encrypting/obfuscating it would be pointless, as a knowledgeable user could just use a header viewer/packet sniffer to extract the plaintext key from the API requests anyways.
The only way to not expose the key to the user is not let the user ever get hold of it, which means proxying the requests.
OTHER TIPS
No, when the browser is requestring the service the user can allways sniff the key. So to use PHP as proxy is a good solution.
