Thanks for this question @chance. I’m going to share this with the team as I’m not a legal expert. In the interim this guide is a good place to start - link.
Hey @chance
You are correct in your interpretation - that any individual can potentially send false data since your public key is out there, which is quite normal.
You can refer to Ning’s reply on this post for more clarity
Thanks @Saish Redkar and @Jeremie Gluckman . This is very helpful
What does the legal team say? Is it ok to include an API key in an open-source product?
Hi @chance,
I hear your concerns on the possibility of data flooding your project if hackers decide to abuse the API key. This does end up being a natural possibility due to our SDKs being open source. What I can assure you is that with just the API Key, the integrity of any real user data would stay intact and they would not have access to downloading or exporting your data from Amplitude.
If bot activity does occur, there are ways to block and filter these types of requests from your Amplitude project. More information on how to block/filter data can be found here: https://help.amplitude.com/hc/en-us/articles/360016338212#h_88c3bdf1-84fd-4e14-8d00-c540d1596569
That being said, there are a couple of ways other customers have worked around this. Sending data to Amplitude server-side is the most direct alternative. Some customers have also routed their data through a proxy server before sending the data to Amplitude. Some documentation on how to set that up can be found here.
Hope this helps! Let me know if you have any questions or concerns.
Best regards,