2

I'm hosting a service which requires consumer to pass API key. It can be consumed by both server side (Ruby,Python etc) and client side applications using Javascript.

Is it possible to use the API key securely from a Javascript only app? I can't think of any way to achieve this at the moment

Improve this question

1 Answer 1

Reset to default
3

Not if the key is sensitive data.

All Javascript is visible to the users, so even an encrypted key could be decrypted. If the key must remain secret, it must never be used in any client-side code or content.

Communication of the key must be server to server, if the key needs to remain completely confidential. A javascript-heavy UI will still need to use a server as a intermediary to proxy calls to your service. A full javascript-only UI is not an option, unless the customer is willing to leak his service key to his users.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.