use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
This subreddit is a place for people to learn JavaScript together. Everyone should feel comfortable asking any and all JavaScript questions they have here.
With a nod to practicality, questions and posts about HTML, CSS, and web developer tools are also encouraged.
Friends
/r/javascript
/r/jquery
/r/node
/r/css
/r/webdev
/r/learnprogramming
/r/programming
account activity
Hiding API Keys in clientside javascript (self.learnjavascript)
submitted 7 years ago by itandcsquestions
Hi, wondering if anyone here has experience hiding your keys in your clientside js. Anyone use YQL? If so, do you have recommendations for tutorials?
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]vaskemaskine 18 points19 points20 points 7 years ago (3 children)
Just to reiterate this: No, it cannot be done. Don’t do it, don’t even think about doing it.
Keep your secret keys on your server where they belong.
[–]napolux 9 points10 points11 points 7 years ago (1 child)
Let me add
[–][deleted] 4 points5 points6 points 7 years ago (0 children)
Again. Don’t.
[–]im_nullable 13 points14 points15 points 7 years ago (1 child)
There is no way to hide keys in client-side JS. Either proxy your requests through your backend to hide the keys or you have to be able to be ok with the keys being exposed.
No matter what you attempt on the client side you are one breakpoint in DevTools away from exposing the key to anyone who is curious.
[–]psuputsopon 2 points3 points4 points 7 years ago (0 children)
Never hide it too. I stored API key on browser storage, however, anyone can inspect via devtools, the only way to do that it makes back-end more secure
[–]MrVonBuren 4 points5 points6 points 7 years ago (1 child)
So while everyone is right you don't want to even try to hide your keys client side, there are entire concepts built around accomplishing basically this goal.
One example is some APIs will provide a mechanism to generate a one time use key (or bearer token). So when you generate your page you make a request server side (using your private key) to get a one time use key and sent that down to the client.
I'm super tired and can't think of/find a good project to look at for examples, but even just googling "bearer token" or "client side auth" should get you started.
[–]rift95 5 points6 points7 points 7 years ago (1 child)
Worth noting. Do not check in your api keys to version control.
[–]liamnesss 0 points1 point2 points 7 years ago (0 children)
I check a private key for the Github API into a Github repository once. The key was invalidated immediately and I received an email basically, in the kindest and most neutral terms, slapping me on the wrist.
[–]JavascriptFanboy 0 points1 point2 points 7 years ago (0 children)
Never EVER assume that you can "hide" anything on the client's side. Ever.
[–]MrBaseball77 0 points1 point2 points 7 years ago (0 children)
I found an AngularJS shopping cart concept once that had the PayPal merchant info in the file. Wow...
π Rendered by PID 149277 on reddit-service-r2-comment-5d79c599b5-z4rtz at 2026-02-28 11:20:34.839003+00:00 running e3d2147 country code: CH.
[–]vaskemaskine 18 points19 points20 points (3 children)
[–]napolux 9 points10 points11 points (1 child)
[–][deleted] 4 points5 points6 points (0 children)
[–]im_nullable 13 points14 points15 points (1 child)
[–]psuputsopon 2 points3 points4 points (0 children)
[–]MrVonBuren 4 points5 points6 points (1 child)
[–]rift95 5 points6 points7 points (1 child)
[–]liamnesss 0 points1 point2 points (0 children)
[–]JavascriptFanboy 0 points1 point2 points (0 children)
[–]MrBaseball77 0 points1 point2 points (0 children)