Api secret keys - How to use them and keep them private ?

Hi everyone,

I am surprised I do not find clear information about where to store API SECRET KEYs in my expo app. I am simply using Google Places API and I would like to know what is the best practice to store the key in my app in a secure (non visible) way ?

I have found the following package : https://github.com/zetachang/react-native-dotenv
but I am surprised there is no integrated way in expo to simply manage API KEY. Am I missing the obvious or did I skip a part in the documentation ?

Thanks in advance for your help !

Hi @ivonig!

There seems to be a general consensus that you should never store any sensitive API keys in your app. Go ahead and read the comments on this forum post for an explanation :+1: (and also this has a little bit more info, as well)

HI @charliecruzan,

Thanks for the answer. However it is very surprising and disappointing for my situation.

Does It mean I can not use any API without having a backend ? Even to connect to a database you need some Secret Info, How do you manage this ?

DO you know how do people use Google places API ? Their KEY is reachable by anyone ? Same for any Mailing solution (sendgrid, mailjet, etc…). It is a big blocking point for me right now unfortunately.

Hundreds of apps use these services, there has to be a way to keep some key private, or I am missing something. :frowning:

And to jump on my own reply, if the only solution is to have them in any type of backend. What solution would you recommend to make it as easy as possible ?

I read recently that Firebase Cloud needed ejection which I would like to avoid as much as possible. Without ejection would you recommend a way to use SECRET API KEY ?

If anyone has a good solution I’d be more than glad to write a full medium post or propose help for the documentation in order to detail the whole process.

some keys are meant to be public, usually this is when you need to combine the key with some user token to access data. eg: with firebase you have an api key but you have some authorization rules configured in firebase so that you can’t do much with just the api key. if having a key alone gives you unrestricted access and it’s potentially something people might want to exploit (eg: google places maybe has some usage limits and if i have access to your key i could potentially rack up a huge bill for you without you knowing) then you have to be careful. if you want to defer spending time building a backend you could just put the key in your code and put a spending cap on it so if someone were to take your key and use it to fire a bunch of requests then they could hit the cap and you’d be able to handle it at that point in time. it’s probably unlikely that anyone will care about doing this but just be prepared for it possibly happening. so it depends if it’s worth it for you

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.