I am accessing a third-party API. It requires a key, which is the same key for all of my users. Currently, my application includes that key in the client-side code, and calls the third party API directly. So any user can decompile my code, and get the key tied to my application. (Bad, right?)
I am guessing that I need to have a server between the client and third-party. And the client makes a request to the server, which has the key. The server then makes the request to the third party, and returns the results to the client. Is this the right approach?
If this is the correct approach, would I build the server and run it on AWS? Or do third-party tools for this use already exist? (I saw AWS Gateway, but that appeared to be about building APIs, not accessing them.) How should I have a user access the third party, without giving them the secret key which is shared among all users?
Popular services like Google use API key(s). This key should be protected as this is what is used to track your usage against the service. Many services are volume based and will charge appropriately based on usage.
Typically, these services are accessed via a server side component.
Client -> Your Service (API Key) -> Calls External Service
Then the client knows nothing about the key.