0

Currently, I am testing Google Cloud's Speech API and wondering how to pass dynamic Google Cloud API key to client app from server.

The speech function will be on client's app (React Native). Before every request to Google Cloud API or session, I am thinking to generate API key dynamically from server side (Nodejs) with a short lifetime and pass to client side. Only then, clients can use the Google service.

The main concern is that I do not want to embed Google Cloud API key on client app and I want to have control on which client can / cannot use the service. Is there a way to dynamically generate API keys on server side with short lifetime and pass to client? Thanks.

Update:

I was checking https://github.com/GoogleCloudPlatform/android-docs-samples/tree/master/speech/Speech and found the suggestion:

This Android app uses JSON credential file locally stored in the resources. You should not do this in your production app. Instead, you should set up your own backend server that authenticates app users. The server should delegate API calls from your client app. This way, you can enforce usage quota per user. Alternatively, you should get the access token on the server side, and supply client app with it. The access token will expire in a short while.

This is exactly what I want to do but can anyone suggest how can I achieve this? Thanks.

enter image description here

I am trying to find out how to get the API key for Step 2 on server backend side.

Aung Myint Thein
  • 390
  • 5
  • 17

1 Answers1

1

Never store credentials in users' browsers, luckily you are trying to adhere to this principle!

A setup that might be useful here has the following components:

  • Use an authentication mechanism in your client-side app, by means of an identity provider. You could use Okta, Auth0, Cognito, or any other authentication provider which supports Oauth2.
  • Use the same authentication provider to secure a custom-build endpoint, which could be a Google Cloud Function. This could be combined with Cloud Endpoints, but not necessarily.
  • In the same Cloud Function, after a user's identity is checked, you call the speech API.
  • The API key could be stored as a secret in Google Secret Manager.
  • The Cloud Function acts as a "serving hatch" to the API, passing back and forth requests from a user to the Google Cloud Speech API.

Your API key remains on the backend, stored as a secret. Users that are not authenticated using the authentication provider, will never have access to the Speech API.

Cloud speech API

Cloudkollektiv
  • 11,852
  • 3
  • 44
  • 71
  • Thanks for the suggestions. I have updated what my idea flow could be like. – Aung Myint Thein Oct 26 '20 at 10:42
  • 1
    I understand, but if you expose the API key, a user could just intercept that key very easily and send unlimited (concurrent) requests for the time the key is valid. So I think my solution is better. You could even log the process ID and processing time for a user's request within the cloud function. With this information, you could calculate/retrieve estimated costs. – Cloudkollektiv Oct 26 '20 at 10:47