Skip to main content
Solved

Is it OK to include project API key in open source project?

  • February 14, 2023
  • 4 replies
  • 467 views
C

Dear Amplitude friends,

 

I have an open-source project, and I want to track usage. Is it OK to include(hard-code) my project API key in this open-source project?

 

Is such action going to violate the license of Amplitude? Are they any other legal concerns preventing me from doing that?

 

Please consider the extreme case that when hackers acquire my open-source project, there might be excessive pings into Amplitude’s system using my project API key with ill intentions and without my supervision. Does Amplitude have concerns over that? Do you know if there are precautions or recommendations you can help suggest?

 

Best regards,

-Chance A

Best answer by Saish Redkar

Hey @chance

You are correct in your interpretation - that any individual can potentially send false data since your public key is out there, which is quite normal.

You can refer to Ning’s reply on this post for more clarity

 

View original
    Did this topic help you find an answer to your question?

    4 replies

    Jeremie Gluckman
    Team Member
    Forum|alt.badge.img+9

    Thanks for this question @chance. I’m going to share this with the team as I’m not a legal expert. In the interim this guide is a good place to start - link.

    Saish Redkar
    Expert
    Forum|alt.badge.img+10
    • Saish Redkar
    • Expert
    • 1380 replies
    • Answer
    • February 15, 2023

    Hey @chance

    You are correct in your interpretation - that any individual can potentially send false data since your public key is out there, which is quite normal.

    You can refer to Ning’s reply on this post for more clarity

     

    Saish | Connect with me on topmate.io/saish_redkar for supercharging your Amplitude skills
    Yuanyuan Zhang
    1 person likes this
    • Yuanyuan Zhang
      Yuanyuan Zhang
    C
    • chance
    • Author
    • New Member
    • 1 reply
    • February 16, 2023

    Thanks @Saish Redkar and @Jeremie Gluckman . This is very helpful 👍

    What does the legal team say? Is it ok to include an API key in an open-source product?

    Yuanyuan Zhang
    1 person likes this
    • Yuanyuan Zhang
      Yuanyuan Zhang
    Yuanyuan Zhang
    Team Member
    Forum|alt.badge.img+5

    Hi @chance

    I hear your concerns on the possibility of data flooding your project if hackers decide to abuse the API key. This does end up being a natural possibility due to our SDKs being open source. What I can assure you is that with just the API Key, the integrity of any real user data would stay intact and they would not have access to downloading or exporting your data from Amplitude.

    If bot activity does occur, there are ways to block and filter these types of requests from your Amplitude project. More information on how to block/filter data can be found here: https://help.amplitude.com/hc/en-us/articles/360016338212#h_88c3bdf1-84fd-4e14-8d00-c540d1596569

    That being said, there are a couple of ways other customers have worked around this. Sending data to Amplitude server-side is the most direct alternative. Some customers have also routed their data through a proxy server before sending the data to Amplitude. Some documentation on how to set that up can be found here.

    Hope this helps! Let me know if you have any questions or concerns. 

    Best regards,

     

    Yuanyuan from Amplitude
    Jeremie Gluckman
    1 person likes this
    • Jeremie Gluckman
      Jeremie Gluckman

    Reply


    Helpful Members this Week

    Terms & ConditionsCookie settings

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings