Best practices about how and where to store API keys for online services?

Hi!

In all the tutorials that I have come across where there is access to online services that require an API key, we just hardcode the API key value and we happily continue with the tutorial…

But, when we are developing a real app that we will hopefully submit to the App Store, is this still the recommended way to do it? And what if we host the code in a public source control repository? The API key will be exposed to anyone…

I have read about using certain tools to encrypt whole or parts of the repository. Or make sure that in the repository you put a dummy value as API key and warn users that the value needs to be replaced by a valid one, but still I can’t made up my mind.

I would appreciate if someone could say something about this.

Thanks!

Hi @juacado,
You have brought up a very valid point. In commercial projects, the keys are not even committed to any source code repository. For tutorials it is about making the process easy for users of all levels, especially those that are new.

However it all depends on the project, the keys can be

  • implemented as external files that are added to the code during compilation
  • Added via environment variables - added via script

I’ll let others chime in with their methodologies (if they have any)

cheers,

Jayant

Hey Jucado,

I agree with Jayant that it depends on project to project about how they implement their api strategy. There is no silver bullet to this.
At my work we have used obfuscation techniques to obfuscate the api key which is loosely based on this article.
Check if this helps you!
This is used in a real life commercial project.

HI @juacado,

If you don’t want to push your key (or any other sensitive data) to the repository, what’s usually done is to externalize it to a file (that is ignored by the source control) and have your project read that file. Then copy that file manually to the people or system that needs it.

To avoid submitting the application to the App store with the raw key, you should use an obfuscation technique.

Cheers,

Fer

Thanks to everyone for your solutions and tips!

Cheers!

This topic was automatically closed after 166 days. New replies are no longer allowed.