Solved

Is it OK to include project API key in open source project?

  • 14 February 2023
  • 4 replies
  • 171 views
C

Dear Amplitude friends,

 

I have an open-source project, and I want to track usage. Is it OK to include(hard-code) my project API key in this open-source project?

 

Is such action going to violate the license of Amplitude? Are they any other legal concerns preventing me from doing that?

 

Please consider the extreme case that when hackers acquire my open-source project, there might be excessive pings into Amplitude’s system using my project API key with ill intentions and without my supervision. Does Amplitude have concerns over that? Do you know if there are precautions or recommendations you can help suggest?

 

Best regards,

-Chance A

icon

Best answer by Saish Redkar 16 February 2023, 00:38

View original

4 replies

Jeremie Gluckman
Rank
Userlevel 6
Badge +9

Thanks for this question @chance. I’m going to share this with the team as I’m not a legal expert. In the interim this guide is a good place to start - link.

Saish Redkar
Rank
Userlevel 7
Badge +10

Hey @chance

You are correct in your interpretation - that any individual can potentially send false data since your public key is out there, which is quite normal.

You can refer to Ning’s reply on this post for more clarity

 

Saish | Need additional Amplitude help ? Book me on topmate.io/saish_redkar
C

Thanks @Saish Redkar and @Jeremie Gluckman . This is very helpful 👍

What does the legal team say? Is it ok to include an API key in an open-source product?

Yuanyuan Zhang
Rank
Userlevel 5
Badge +5

Hi @chance

I hear your concerns on the possibility of data flooding your project if hackers decide to abuse the API key. This does end up being a natural possibility due to our SDKs being open source. What I can assure you is that with just the API Key, the integrity of any real user data would stay intact and they would not have access to downloading or exporting your data from Amplitude.

If bot activity does occur, there are ways to block and filter these types of requests from your Amplitude project. More information on how to block/filter data can be found here: https://help.amplitude.com/hc/en-us/articles/360016338212#h_88c3bdf1-84fd-4e14-8d00-c540d1596569

That being said, there are a couple of ways other customers have worked around this. Sending data to Amplitude server-side is the most direct alternative. Some customers have also routed their data through a proxy server before sending the data to Amplitude. Some documentation on how to set that up can be found here.

Hope this helps! Let me know if you have any questions or concerns. 

Best regards,

 

Yuanyuan from Amplitude

Reply


Terms & ConditionsCookie settings