Software Engineering
api third-party-libraries keys
Updated Thu, 28 Jul 2022 07:11:21 GMT

How should I access a third party API which requires a key?

I am accessing a third-party API. It requires a key, which is the same key for all of my users. Currently, my application includes that key in the client-side code, and calls the third party API directly. So any user can decompile my code, and get the key tied to my application. (Bad, right?)

I am guessing that I need to have a server between the client and third-party. And the client makes a request to the server, which has the key. The server then makes the request to the third party, and returns the results to the client. Is this the right approach?

If this is the correct approach, would I build the server and run it on AWS? Or do third-party tools for this use already exist? (I saw AWS Gateway, but that appeared to be about building APIs, not accessing them.) How should I have a user access the third party, without giving them the secret key which is shared among all users?


Popular services like Google use API key(s). This key should be protected as this is what is used to track your usage against the service. Many services are volume based and will charge appropriately based on usage.

Typically, these services are accessed via a server side component.

Client -> Your Service (API Key) -> Calls External Service

Then the client knows nothing about the key.

Comments (1)

  • +1 – This only helps if your service whitelists IPs. If your service runs on a blacklist model, you would have to find all rogue traffic and blacklist the IP, and it would only work until the next rogue comes along. — Jul 11, 2017 at 17:30