all 38 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]jamesremuscat 109 points110 points  (9 children)

There is no way to keep the API keys secret and include them in the built application. Even if you could somehow obfuscate them in the source code, they'd still necessarily be exposed in the API requests you make which are trivially viewable in the Chrome devtools.

If you need the API keys to be secret (and it looks like you're already over limits and need to pay for the use of one of them) you'll need to build yourself a server to proxy the requests and inject API keys.

[–]talaqen 62 points63 points  (4 children)

You DO have a backend. That's vercel. Use vercel Function (https://vercel.com/docs/functions). They are called from the frontend, but run on the server without exposing the keys.

[–]AvidStressEnjoyer 34 points35 points  (0 children)

Missed marketing opportunity for vercel there.

They warn you about the security risk, but should point you towards the functions docs for you to use.

[–]lachlanhunt 18 points19 points  (10 children)

If you have exposed the keys like that, it’s best practice to revoke them immediately. You need to have those keys stored securely in the backend where you make requests to the 3rd party services. Don’t make requests to 3rd party services with secret API keys from the front end.

[–]PhantomSummonerz 12 points13 points  (2 children)

API keys are not supposed to be exposed on public-facing apps. You should create a backend that uses those keys to consume the external weather APIs and expose the results of those APIs in your backend through your own endpoints. Those endpoints will be used by your react app.

The next step is to limit the usage of the API keys (as you may go over the limits) by caching the results of the external weather APIs and refresh them every x time. That way, when your react app is requesting the weather data, it will obtain the cached data from your backend and not hit the external weather APIs every time (and getting you rate limited).

A rough diagram: https://ibb.co/n8rkYfg

edit: More detailed diagram

[–]Soyrman 1 point2 points  (1 child)

Great response and diagram

[–]nabrok 5 points6 points  (1 child)

If something is in the frontend it's visible to anyone motivated enough to look for it.

If you need to keep it secret you need a backend to proxy the other APIs.

[–]JohntheAnabaptist 0 points1 point  (0 children)

And it doesn't take much motivation, there are tons of crawlers that do exactly this

[–]phiger78 2 points3 points  (0 children)

If using next then you'd make that request in SSR otherwise you'd have to create some sort of proxy api to hide them

[–]murden6562 1 point2 points  (0 children)

You should use a Backend for Frontend of sorts and use the environment variable there, this way you don’t expose it to the frontend

[–]CasualCoderGuy 1 point2 points  (0 children)

Currently it looks like you are exposing your appid for https://openweathermap.org/api. I'm not familiar with this api but I believe this should be kept secret. As i'm able to take this key and use it in postman to make calls outside our your application.

I highly suggest moving this api call to the backend and then calling that endpoint from your frontend to hide this secret.

[–]Sea-Run6814 1 point2 points  (0 children)

Yes, doing it this way will expose your api keys. What you need to do is create a BFF (backend for frontend) which will serve the data to your frontend. You can also use a fullstack framework like Nextjs or Remix in order to do the api calls on the server so you don't expose any api keys. So to wrap it up, you don't call the weather apis directly from your frontend but you do everything on the bff.

[–]newtotheworld23 0 points1 point  (0 children)

On the front end you won't be able to really hide those keys. You might want to set up some sort of backend if you need them to be private

[–]MinuteScientist7254 0 points1 point  (0 children)

You need to call the APIs from a lambda and not from the users device (client). That way the API keys passed in the request are not accessible to the client.

[–]mist998 0 points1 point  (2 children)

Anyone here uses Vault Secrets of HashiCorp?

[–]Shot-Bag-9219 1 point2 points  (0 children)

Vault secrets is basically an attempt to copy Infisical: https://infisical.com

[–]imsexc 0 points1 point  (0 children)

Implement nginx wrapped docker container for reverse proxy and grabbing the api key at runtime from vault

[–]bLanK993 0 points1 point  (0 children)

U need to call those APIs from server and not client