Major Key Alert: Hide your API Keys
kcarrel
Posted on August 4, 2019
I love integrating public APIs (Application Programming Interface) into my side projects in order to add in more functionality. However, this raises the issue of dealing with hiding API keys! This post will walk you through what an API key is used for, why you need to hide them and provide a guide of how to accomplish this in a Ruby project.
What is an API key?
An API key is a unique identifier used to control access to an API service provider. The API key links to the user who has been assigned the key and can be keeping track of amount of calls to the API being made by a user or which areas of the API the user is allowed to access.
Why do I need to hide my API keys?
Hiding your API keys is necessary because it is an identifier for your access to a resource. If you make that identifier publicly available someone else can use to it to represent themselves as you and abuse your access to the resource which could lead to your access being shutdown. Protect your access and your project by hiding those keys in a file that has been .gitignore(d) so that when you push your project up to it's github repository those API keys are not public and vulnerable.
Hide those keys! (Ruby)
Add gem 'dotenv-rails' to your Gemfile and bundle install
While in the root of your project's directory use the command '$ touch .env'
In that .env file create an variable (uppercase only) and assign it to your API key
#Inside the .env file
YELP_API_KEY=your_developer_api_key_from_yelp
- Add your .env file to the .gitignore file
#Inside the .gitignore file
.env
- You can access your API key throughout your ruby project like the example below
def yelp
yelp = ENV["YELP_API_KEY"]
yelp_url = "https://cors-anywhere.herokuapp.com/https://api.yelp.com/v3/businesses/search?term=#{category}&location=#{location}"
res = HTTParty.get(yelp_url, :headers => {"Authorization" => "Bearer #{yelp}", "x-requested-with" => "XMLHttpRequest"})
render plain: res.body.squish
end
Happy API Key Hiding!
Common Troubleshooting
- Can't find your newly created .env file after .gitignoring it? Check the settings on your text editor to see if it makes hidden files visible in the project tree.
- Have you already pushed your API keys up to github? Check this out: https://help.github.com/en/articles/removing-sensitive-data-from-a-repository
Posted on August 4, 2019
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.