Hi guys, hope you all are doing well!
I have a question regarding API keys. What are the biggest security risks regarding API keys being stolen, what type of information can someone get from an API key?
Also, is there any risk in sharing a free to use API key?
I tried searching on google, but couldn’t find any clear answers!
Did you see this post:
An API keys are unique to each user, so if you request an API key from a company, they can trace it back to you for authentication and give you the right access. If you lose the private key, it allows others to decrypt all your communication and they can impersonate you.
This is an example of why you shouldn’t post private keys on places like Github:
Maybe it’s not as extreme as AWS and you’re not racking up a huge bill, but it’s still best practice to hide your keys like in a .env file and add that to your .gitignore file.
An oversimplified version of how they do this is they do some fingerprinting to see what services you are using, and work to find other things that may match (finding S3 buckets, additional keys) and then they go to town exploiting you and they could hide their tracks so you never even notice.
If you’re on a team, you probably share the same keys, but it depends.
Ah I see… would not want that to happen to me… How would I hide an API key when using something like codepen? I’ve read that codepen doesn’t support environmental variables?
Thanks! I actually did see that post, it still left me with some questions though
Your best bet is to not rely on Codepen for showcasing projects that rely on APIs with keys. Use GitHub pages or Surge.
However, there is a hacky work around for using API keys on Codepen, but it won’t be accessible to others (e.g. future employers you are intending to impress).