Hi @Devanshu,

There are two different type of API keys to your Amplitude organization, an API key and a Secret key. 

Your data can only be exported if someone has both your API and Secret Key.

In the event that someone has your API key, that individual can potentially send false data as API Keys can be found on a website's source code, so they are somewhat public. That being said, we have never had any issues with customers receiving false data, but in theunlikely event that this happens, please let us know and we will reset that key for you.

If you wish to be extra careful with the API key being there invisible plain text in your HTML or javascript you could maybe add a little obfuscation like so:

amplitude.getInstance().init(getKey(<encoded_key>, <secret>));

You would have to implement the obfuscation/encoding logic of getKey.

Hope you find this to be useful!

@ning.chang. can you please share link or explain more about this  obfuscation/encoding logic of getKey.  setup..

Hello,  I wanted to see if there was any further follow up on this item, on steps to obfuscate the getKey logic?

Further to my question above, payload of that request contains the projects API key so a getKey logic that is encoded still results in the payload containing the api key unless Amplitude decodes it on their end so I don’t think this is a solution.  Can you clarify what our options are to prevent the misuse of these keys?