0

I've got a chrome plugin project that sends a fetch request to Unsplash's API for a new background image every two minutes. In this request, I send an access key which is to remain a secret, but since it's sort of a 'webpage' anyone who knows web development or js would be able to find the access key.

What is the best practice for restricting access to this kind of information (Read: API-Keys)?

I have Google'd and most of the articles I found about it have some framework in the backend.

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
Hexdom
  • 121
  • 1
  • 4
  • 2
    `What is the best practice for restricting access to this kind of information` don't send them to the browser – Jaromanda X Oct 02 '20 at 06:29
  • I have been thinking about making an API that sends the request for the browser extension (as mentioned in your link), but I was hoping there were other viable options. – Hexdom Oct 02 '20 at 06:33
  • 2
    There's simply no other option. Obfuscation can be defeated, and as long as the call is made from user's device, they can just listen to it. – Martheen Oct 02 '20 at 06:42
  • SO has Q&A format. Let's keep it – Vega Oct 15 '20 at 07:30

0 Answers0