javascript - Hide 3rd party API-key with firebase - Stack Overflow

admin管理员组

文章数量:1420214

Im building a website in firebase. It's a simple look-up service which only has an input element that fires a request to a 3rd party api.

www.3rdparty/api/[myapikey]/method

The problem is that I'm limited to x requests per second and I can't expose my api-key to the users.

My mission eventually is to store the responses in firebase so that I can limit the number of requests that reach the 3rd party (a cache function)

Im building a website in firebase. It's a simple look-up service which only has an input element that fires a request to a 3rd party api.

www.3rdparty./api/[myapikey]/method

The problem is that I'm limited to x requests per second and I can't expose my api-key to the users.

My mission eventually is to store the responses in firebase so that I can limit the number of requests that reach the 3rd party (a cache function)

• javascript
• firebase
• firebase-security

Share Improve this question Follow edited Apr 5, 2016 at 7:09 Salmin Skenderovic asked Apr 5, 2016 at 6:49 Salmin SkenderovicSalmin Skenderovic 1,7201010 silver badges2424 bronze badges

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 6

Putting such an API key into the client-side code of your application introduces the risk of malicious users taking your key and using it to their own purposes. There is nothing you can do about that, except for simply not including the API key into the client-side code. This applies equally to Android and iOS code btw.

Since you can't put the API key in client-side code, you'll have to run it on a server. This is a quite mon scenario for using server-side code within a Firebase architecture: the code needs access to some information that mon clients cannot be trusted with. It is covered by pattern 2 in our blog post on mon Firebase application architectures.

From that blog post:

An example of such an architecture in action would be clients placing tasks for the server to process in a queue. You can have one or more servers picking off items from the queue whenever they have resources available, and then place the result back into your Firebase database so the clients can read them.

本文标签： javascriptHide 3rd party APIkey with firebaseStack Overflow