- Should I hide my API key?
- How do I protect my API keys?
- What if an API key is exposed?
- Can someone steal my API key?
Should I hide my API key?
Do I need to hide my API keys? API secret keys should never be put in a client-side code or should be hidden. However, read-only API keys won't pose any risk if you paste them into your JavaScript code that will commit in your browser.
How do I protect my API keys?
If you store API keys or any other private information in files, keep the files outside your application's source tree to keep your keys out of your source code control system. This is particularly important if you use a public source code management system, such as GitHub.
What if an API key is exposed?
Exposed API keys can be used both to exploit vulnerabilities or bugs in the coding of the API itself and through API abuse (where the API is accessed or used in a way that was not intended). Example attacks include account takeover, automated account creation, data scraping or DDoS attacks.
Can someone steal my API key?
Even worse, criminals can easily circumvent “trade-only” settings on the API keys and steal money from traders' accounts even without obtaining their account credentials or withdrawal rights.