How to secure API Keys

fraasen · March 25, 2024, 7:43am

Hi there,
I have seen some posts here regarding this question, but none that really gives a good answer or conclusion, as to how to best handle API keys.

I am facing this challenge now in a new app I am developing, and from what I have read, the only really safe way is to have a server backend/proxy where you keep the API Keys, but that is something I do not have and have no experience with setting up at all. I know there are services out there that can be used, but to my knowledge, these requires skills I do not have in terms of setting it up.
Anyone out there with experience on this and know how and/or have used any backend/proxy services out there they would recommend?

Chris_Parker · March 25, 2024, 10:50am

Hi Finn,

Welcome to the community.

I’m assuming that you have only recently joined CWC+. There is a Networking course that Chris Ching has and in that he describes a method to secure your API key by storing it in a Config.xcconfig file within your Xcode project which you then add to .gitignore so that you avoid exposing it to your remote GitHub repo if you have one.

Documentation on the file format of the Config.xcconfig file can be found at this link:

https://help.apple.com/xcode/mac/11.4/#/dev745c5c974

Essentially you create a Config.xcconfig file in Xcode by tapping File > New > File and selecting Configuration Settings File in the “Other” group.

In that file, add a line:

API_KEY = yourAPIKeyString (no quotes required)

and save it.

In your project you can create a Swift file to store all your Constants. Let’s assume that you are accessing a Yelp API just as an example. This is what mine looks like:

struct Constants {
    static let API_ENDPOINT = "https://api.yelp.com/v3/businesses/search"
    static var DETAILS_URL = "https://api.yelp.com/v3/businesses/"
    static let API_KEY = Bundle.main.infoDictionary?["API_KEY"] as? String
}

So that’s how you reference the API_KEY that is stored in your Config.xcconfig file.

fraasen · March 25, 2024, 11:22am

Hi Chris,
Thank you for your reply!
However, as far as I can read in this article: Secret Management on iOS - NSHipster it is not really considered to be secure to do it in a config file either, hence the section Store Secrets in Xcode Configuration and Info.plist in that article.