How to Keep REST API Credentials Secure

If you are building mobile apps then you are connecting to some REST API. For example, if you want to resolve an address to a latitude/longitude information to display on a map, you might use the Google Geocoding API: Francisco,CA&key=AIzaSyDvFMYGjeR02RH

If you are invoking the API from the client, then the API key also has to be present on the client. But, this is also the problem. It’s very easy to look at the app source in the browser and get access to the API key. If someone has access to your API key, they can send requests on your behalf (without you knowing), and use up your request quota. Even if you are building a hybrid app, it’s still the same problem. A hybrid app is HTML/JavaScript inside a native wrapper, it’s possible to download the app, un-package it and gain access to API keys or any sensitive information stored in the app. Even native apps are not immune to this. For example, an Android app is just a Java application and a Java application can be de-compiled to view the original source. The next image shows how to get access to an API key in the browser:

Screen Shot 2015-06-10 at 4.25.02 PM
Viewing app source in browser

A good solution is to never expose the API key (or any other sensitive data) on the client. How do you do that? You keep the API key and any other sensitive information on the server.

Screen Shot 2015-06-10 at 3.54.57 PM Secure Proxy Secure Proxy (part of Backend Services) enables app developers to keep sensitive app data on the server. Your API keys or any other data is never exposed on the client. Watch this 5-minute video on how to use Secure Proxy:

Before using the Secure Proxy, you need to store the data on the server. To store the data you are going to use the Database. It’s as simple as creating a collection with two columns. The first column is the value name, the second column is the actual value. This is how the database looks when storing the API key for Google Geocoding API:

Screen Shot 2015-06-10 at 3.46.54 PM
Saving API key in database

As this key is stored on the server, no one (but you) has access to it. You can store other data as well such as URLs, tokens or anything else that shouldn’t be exposed on the client.

The next step is to setup the proxy that will use the information stored in the database. This step is also very simple, this is how it looks:

Screen Shot 2015-06-10 at 3.57.25 PM
Secure proxy linked to a database

You give the proxy a name and then link it to a database which stores your data. The above proxy is linked to Secrets_db database, Credentials collection, and secretNamesecretValue columns.

The last step is to link a REST API service to the proxy.  In the service editor you select the secure proxy created:

Screen Shot 2015-06-10 at 4.14.01 PM
REST API service using secure proxy

then in the Request tab you reference the API key stored in the database (the name stored in secretName column):

Screen Shot 2015-06-10 at 4.15.51 PM
Request parameter substitution will happen on the server

and that’s it.

When the API service is invoked, the call will go through the secure proxy (server) where the API key will substituted:

Screen Shot 2015-06-10 at 4.51.31 PM
API key is not exposed on the client

For web apps, you can add an extra layer of security by specifying from which page URLs the proxy should accept requests:

Screen Shot 2015-06-10 at 8.31.33 PM
URL-based security

The proxy will only accept requests from page URLs listed in the table.

Another option to keep API keys private is to invoke the API from the server using Server Code, I will cover this in another post.

Setting up an using the Secure Proxy is simple. It provides a very important feature by allowing to keep sensitive and private data on the server, never exposing it on the client, and adding an extra security layer to your app.

Published by

7 responses to “How to Keep REST API Credentials Secure”

  1. How do you prevent one abusing your API key by sending requests to your proxy?

    1. There is a burst rate limit for the proxy.

      1. OK, so now you are vulnerable against a simple DoS attack…;)

        1. The burst limit is per API key. You can kill your access, but it will continue working for every one else.

      2. @ponschab

        Dos vulnerability was there even before.

  2. How do you prevent someone else sending requests though the proxy as it was your app? I mean, yes the API key is secure, but someone else can still use it.

    1. That’s an old post and this approach is no longer supported. To keep your API key secure, it’s recommended to use invoke an API from Server Code or API Express. Both are server-side approaches. Hope this helps.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.