Solved

Api key is exposed publicly if I am using the the JS SDK. Should I create a Proxy service on my server to prevent this.

  • 9 March 2022
  • 4 replies
  • 2308 views

Whenever client logs an event in amplitude, its makes an HTTPS request to amplitude api, the payload of that request  contains the projects API key. This means it can be misused and wrong data can be sent.

The first solution to prevent this that came to my mind is to create a proxy service that redirects the events to amplitude after authenticating the request but it has its own cost, so my questions here are:

  1. What are the best practices around here to prevent it?
  2. Is it suggested to let the API Key exposed?

 

 

Thanks,
Devanshu
 

 

icon

Best answer by ning.chang 11 March 2022, 07:43

View original

4 replies

Userlevel 4
Badge +7

Hi @Devanshu,

 

There are two different type of API keys to your Amplitude organization, an API key and a Secret key. 


Your data can only be exported if someone has both your API and Secret Key.


In the event that someone has your API key, that individual can potentially send false data as API Keys can be found on a website's source code, so they are somewhat public. That being said, we have never had any issues with customers receiving false data, but in theunlikely event that this happens, please let us know and we will reset that key for you.


If you wish to be extra careful with the API key being there invisible plain text in your HTML or javascript you could maybe add a little obfuscation like so:

amplitude.getInstance().init(getKey(<encoded_key>, <secret>));

You would have to implement the obfuscation/encoding logic of getKey.

 

Hope you find this to be useful!

Userlevel 2
Badge +1

@ning.chang. can you please share link or explain more about this  obfuscation/encoding logic of getKey.  setup..

Badge +1

Hello,  I wanted to see if there was any further follow up on this item, on steps to obfuscate the getKey logic?

Badge +1

Further to my question above, payload of that request contains the projects API key so a getKey logic that is encoded still results in the payload containing the api key unless Amplitude decodes it on their end so I don’t think this is a solution.  Can you clarify what our options are to prevent the misuse of these keys? 

Reply