TLDR; The difference comes down to direct access vs. delegated access. OAuth allows you to make delegated access. The benefits of delegated access don’t change if there is a user involved or not. The same arguments that make the OAuth Authorization code flow attractive for user-to-machine access, apply to the OAuth Client credentials flow for … Read more
Short answer: No What ever you do to obfuscate the key, you still have to send it to make it available on the client somehow, and therefore it will be possible to extract it using fx. Firebug. Even if you devise an awesome magical way to keep the key secret, at some point you would … Read more
Crazy as it sounds, this is probably the best solution. Everything else is more complicated, but not much more secure. Any fancy obfuscation techniques you use are just going to be reverse engineered almost as quickly as they’ll find this key. But this static key solution, while wildly insecure, is nearly as secure than the … Read more
The conventional alternative to what you’re doing, especially when pertaining to API keys, is to use environment variables. This is an operating system-level configuration facility. Each process has its own set of environment variables, usually inherited from its parent process. By convention, environment variables have uppercase names. In node.js, you can access environment variables through … Read more
TLDR: Use environment variables! I think @Bryce’s comment offers an answer, which I’ll just flush out. It seems one approach Heroku recommends is to use environment variables to store sensitive information (API key strings, database passwords). So survey your code and see in which you have sensitive data. Then create environment variables (in your .bashrc … Read more
There is no real perfect solution. No matter what you do, someone dedicated to it will be able to steal it. Even Twitter for iPhone/iPad/Android/mac/etc. has a secret key in there, they’ve likely just obscured it somehow. For example, you could break it up into different files or strings, etc. Note: Using a hex editor … Read more
Unfortunately, keeping any key in your React client, even if you are using gitignore and an .env file, is not secure. As pointed out by Claudiu Creanga, React environment variables are embedded in the build and are publicly accessible. You should really only save API keys or secrets in your backend such as Node.js or … Read more
Four steps npm install dotenv –save Next, add the following line to your app. require(‘dotenv’).config() Then create a .env file at the root directory of your application and add the variables to it. // contents of .env REACT_APP_API_KEY = ‘my-secret-api-key’ Finally, add .env to your .gitignore file so that Git ignores it and it never … Read more