Skip to main content
Solved

Api key is exposed publicly if I am using the the JS SDK. Should I create a Proxy service on my server to prevent this.

D

Whenever client logs an event in amplitude, its makes an HTTPS request to amplitude api, the payload of that request  contains the projects API key. This means it can be misused and wrong data can be sent.

The first solution to prevent this that came to my mind is to create a proxy service that redirects the events to amplitude after authenticating the request but it has its own cost, so my questions here are:

  1. What are the best practices around here to prevent it?
  2. Is it suggested to let the API Key exposed?

 

 

Thanks,
Devanshu
 

 

Best answer by ning.chang

Hi @Devanshu,

 

There are two different type of API keys to your Amplitude organization, an API key and a Secret key. 


Your data can only be exported if someone has both your API and Secret Key.


In the event that someone has your API key, that individual can potentially send false data as API Keys can be found on a website's source code, so they are somewhat public. That being said, we have never had any issues with customers receiving false data, but in theunlikely event that this happens, please let us know and we will reset that key for you.


If you wish to be extra careful with the API key being there invisible plain text in your HTML or javascript you could maybe add a little obfuscation like so:

amplitude.getInstance().init(getKey(<encoded_key>, <secret>));

You would have to implement the obfuscation/encoding logic of getKey.

 

Hope you find this to be useful!

View original
Did this topic help you find an answer to your question?

5 replies

ning.chang
Team Member
Forum|alt.badge.img+7
  • ning.chang
  • Team Member
  • 72 replies
  • Answer
  • March 11, 2022

Hi @Devanshu,

 

There are two different type of API keys to your Amplitude organization, an API key and a Secret key. 


Your data can only be exported if someone has both your API and Secret Key.


In the event that someone has your API key, that individual can potentially send false data as API Keys can be found on a website's source code, so they are somewhat public. That being said, we have never had any issues with customers receiving false data, but in theunlikely event that this happens, please let us know and we will reset that key for you.


If you wish to be extra careful with the API key being there invisible plain text in your HTML or javascript you could maybe add a little obfuscation like so:

amplitude.getInstance().init(getKey(<encoded_key>, <secret>));

You would have to implement the obfuscation/encoding logic of getKey.

 

Hope you find this to be useful!

Saish Redkar
1 person likes this
  • Saish Redkar
    Saish Redkar
P
Well-Versed
Forum|alt.badge.img+1
  • pawan
  • Well-Versed
  • 15 replies
  • September 28, 2022

@ning.chang. can you please share link or explain more about this  obfuscation/encoding logic of getKey.  setup..

S
Novice
Forum|alt.badge.img+1
  • Song Ha
  • Novice
  • 3 replies
  • October 17, 2023

Hello,  I wanted to see if there was any further follow up on this item, on steps to obfuscate the getKey logic?

S
Novice
Forum|alt.badge.img+1
  • Song Ha
  • Novice
  • 3 replies
  • October 19, 2023

Further to my question above, payload of that request contains the projects API key so a getKey logic that is encoded still results in the payload containing the api key unless Amplitude decodes it on their end so I don’t think this is a solution.  Can you clarify what our options are to prevent the misuse of these keys? 

V

I am exploring ways to ensure the security of API keys and secrets used by our organization. Specifically, if a user gains access to an API key and secret, how can we restrict their usage so that only our organization's applications can access the APIs?

We want to ensure that:

  1. The API keys and secrets cannot be misused by external users or applications.
  2. API calls are strictly limited to requests originating from our organization's environment.

    Are there best practices or recommended solutions to achieve this level of restriction? Any insights or shared experiences would be greatly appreciated!

 

Reply


Helpful Members this Week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings