Learn Courses My Dashboard

Securing API Keys

Does anyone know how to securely store API keys? Can you please share your code?

The API key is no longer protected as we once thought it was. Rather, anyone can now grab Firebase or other keys from our apps, relatively easily, even without jailbreaking:

Dude your timing is INSANE, I was literally googling stuff about that right now.

Apparently there are ways to encrypt your API Key in the app but it is never 100% safe, and is considered an “anti pattern” in terms of safety. The only safe solution is to have a server as an intermediary between the app and the API.

For Firebase, you’ve got AppCheck to make sure requests come from the app and nothing else
I believe the user OAuth token is also reset every hour, so as long as security rules include auth restrictions, should be fine

But if anyone more experienced can provide some insights, I am also extremely interested.

The original article I linked by NSHipster is the answer.

You can’t. Nothing is ever 100% secure. A personal with malicious intent is always able to hack something.

This is one way.

This is something Firebase gives you. And is another way (the app has to re authenticate itself against your API)


Or fetch your API key from your own server and store it in Keychain, but again you have to fetch that data meaning technically it can be intercepted.

At some point you have to ask yourself, how much effort is it worth to hide your API key, vs the amount of people who will try to do something malicious.

1 Like

Thanks a lot for sharing @mikaelacaron ! :slight_smile:

So someone could intercept the server response with the API key.

Technically, does that mean that a hacker could also get the key from any of the following requests from the app to the API that has the key embedded in the url ?

That’s a good point. I’m gonna be thinking about that for a while haha :sweat_smile:

Technically yes, but also this can happen with any kind of transmission (texts phone calls, going to websites) technically this can happen anywhere.

There’s always a way for someone to hack something if they’re being malicious and wanting to put enough effort into it.

But network security is such a deep rabbit hole haha I haven’t gone too far into it.

This is why when making API calls, there’s rate limits, which only allow a certain number of requests per minute or per hour

1 Like