How to Protect 3rd Party API keys?

  • I’m looking at using some API’s from 3rd parties in my plugin, however I do not want to expose the API keys to the plugin users to avoid them from being used elsewhere.

    I was wondering what’s the common solution for something like this because it doesn’t seem possible unless I funnel all the API through my own server.

    Can anyone provide some insight into this because it’s kind of a new area for me.

    Thanks

    • This topic was modified 2 years, 1 month ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Developing with WordPress topic
Viewing 4 replies - 1 through 4 (of 4 total)

  • I assume you are concerned about technical people reverse engineering your solution and hence gaining your keys?

    Then the only solution I can think of is funnelling through your own server. You would also have to have some ‘licence’ style processing to ensure that your server is not abused as a pass through.

    This was the solution I came up for with one of my own plugins where data was required from a third party I had to pay for.

    The good thing about using your own server is you can cache and optimise the data from the third party as you are not bound by their structures / rate limits any more.

    It is a complex solution to develop.

    Thread Starter EricB50

    (@ericb50)

    Yes I don’t want them reverse engineered.

    Do you just do a key exchange with your sever then pass the credentials over?

    I can license them and then track their IP origins. Is that your solution?

    Thanks again.

    Easiest to explain roughly how I do it in a diagram

    API-calls-drawio

    Thread Starter EricB50

    (@ericb50)

    Thanks for the help. That’s exactly what I was thinking.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘How to Protect 3rd Party API keys?’ is closed to new replies.

Tags