Securely store API key + email

Hi, I’ve searched the forums for something that would answer my question but can’t seem to find anything that fits the bill.

I building a public but not published search page which sends a search result, chosen by the user, to a service api, using GET method. All good so far.

The problem is that I want each search entry that the user selects, to use my private API account details (email + API Key) with the GET method. I know this sounds like a very bad idea, but would it be possible to securely store those sensitive details somehow in the app using javascript / something else and still use them for the GET method?

Even if I .htaccess password protect the page and only give the login details to chosen people, I’d still like to protect those sensitive details.

Any ideas?

I would do a proxied request, where there’s a server-side script that does the query with the API key.

The client calls this script, your script calls the server and returns data, and then the script forwards it back to the client. You can still restrict access via .htaccess on the client page to make sure that the call doesn’t get abused.

Ok that makes sense, thanks. So as long as I separate the credentials in another script file (or any file which the client-side script calls?) and protect it with .htaccess I should be good?

Just checking; if, instead of writing my scripts as ‘internal’ hype scripts, I wrote them externally and added them into the hype project, then used an export script which puts those scripts into /js folder or something and protected that folder, I could put anything in those scripts, correct?

There’s a lot that is highly dependent on your configuration and the data you are trying to protect, so without knowing all the details it would be impossible to offer specific advice. I also wouldn’t want to be liable for your setup! :slight_smile:

Note that by “script” I am not referring to JavaScript specifically. To have JavaScript perform the call, you’d likely need to run a node instance. This is a high barrier for probably a small task. On most servers you can do CGI via PHP or other shell scripts. Typically you protect these by server configurations (often but not always default) coupled with filesystem permissions.

Based on what I think you are describing, the answer is no. If you load a .js file with the secret into your client-side application, then the client can see your key.

The goal is to never load the key into anything client-side. That’s why the key is located in a file that is only server-side, and performs as a proxy.

Right, gotcha. Bit more work than I thought then :smirk:

Thanks @jonathan for the insight!

1 Like