0

I'm developing a Chrome Extension where I need to use APIs which require id/keys. As anyone can easily look into the source code of extension, is there a way to hide the API access information from the user?

After searching, I found: Securing website API keys in Chrome extensions

This thread was created three years ago and has an answer that the only option is to use something similar to a custom webservice call. Is something changed? Or a custom webservice is the only option?

This thread too didnt provide much info: How to secure an API key in a Google chrome extension?

Community
  • 1
  • 1
user2649554
  • 19
  • 2
  • never put secrets in client-side code, even if view-source is harder to get to than normal... – dandavis Mar 01 '15 at 06:52
  • 1
    I think this is a chicken-and-egg problem. The user of your extension is allowed to call that API - what's the point of hiding the credentials then? If you want to impose limits, there's no way to do that reliably on the client side - make your own proxy API as suggested and pre-filter requests on your server. – georg Mar 01 '15 at 07:26
  • What georg said. If the API key is individual per user, then you can store it on the users machine - it's his anyway and other people can't get it from there. If it's the same key for everybody, what's the point of the key? –  Mar 01 '15 at 17:35

0 Answers0