Best way to protect API key while using JS?

Sixing_Xu · ‎Oct 01, 2018

Hi all,
I’ve been developing a website using Airtable’s official API client in javascript, and have been wondering if there’s a recommended way to securely protect my API and base keys (so that ppl won’t be able to access them via browser)? I’d like to know if there is a way to protect my keys without switching to another programming language.

Andrew_Johnson1 · ‎Oct 02, 2018

You will want to run the “Airtable” interfacing part of your app on your server.
Since you are using Javascript, I assume you Node.js will be your choice of language.

After that make calls from the client(browser) using Ajax, or some other javascript framework like Angular etc to your server (described above) and NOT to the Airtable API directly.

Thus your API keys will be hidden since it will be running on your server, to which only you have access to.

drassi · ‎Oct 11, 2018

If all you’re trying to do is restrict the website users from getting your API key and modifying your data, easiest way is to simply make a read-only user and use the read-only user’s API key in javascript on the public website.

If you are trying to prevent website users from gaining even a read-only API key, you will have to proxy your requests. I’d recommend using nginx proxy_pass in conjunction with proxy_set_header.