API Key Basics with a Tutorial on Setting up Google Translate API on Node.JS

6 min readJul 22, 2021

Setting up a new API on your application is an exciting step, but developers need to be well aware of good practices with their API key. For those who are unfamiliar about what API keys are, they should be treated as sensitive information that you don’t want to share with the world. An API key uniquely identifies your application typically for the purpose of authentication and tracking usage of an API endpoint for billing purposes. For these reasons it is important to keep your API key as safe as possible to avoid headaches with misuse of your key and unexpected bills. In this tutorial, I will show you how to set up Google Translate API on Node.js with good practices on keeping your API key safe.

API Keys Should Always Be On the Backend

Anytime you are working with an API key, this should be done on the backend. If you are strictly working with a key on the frontend, it’s just not safe. In some cases, you may be working with an API that is used on the frontend, then you will need to do your best to keep an eye on your API key usage. Set up throttling and/or limiting as well as deactivating and replacing your API key if you notice any suspicious activity on it.

Before Starting, Check the Rates!

It is always a good idea to understand what the pricing is like for an API that you will use. While many provide some free usage, you should know how that usage is determined. In the case of Google Translate API’s text translation, every character (translated or not) is counted towards your total monthly use. You may also want to consider the cost for possible scaling. Other API usage can be counted on a daily basis so be sure to understand this before starting.

Setup Throttling or Limiting

Check your API provider if they do any throttling or limiting for you. In the case of Google, a single key can be used across many APIs. In the event that you need to use the same API but on multiple apps, it is best to create a new key for each app. If your key gets leaked, only one app will be affected instead of all of them. Also, for Google you will want to throttle all services to zero except for the ones that you are using. This provides some extra security should your key get leaked, this limits the number of calls that can potentially be made on your key.

If you are in need of extra control, throttlers prevent sudden traffic spikes to an API causing performance issues. On the other hand, limiters allows you to set a hard limit of API calls made in a window of time. There are many libraries for this, but check out bottleneck or Express Rate Limit for some options.

NEVER Hard Code Your Key Into Your Code or Push It to Github

You should never hard code your API key since that makes it very easy to be stolen. Hard coding your key will also make it susceptible to scraping as soon as you push your code to GitHub. In order to obscure your key, you will need to use environment variables and a library called dotenv.

Dotenv allows you to create environment variables in a .env file in the root directory of your project. Your server will then be able to use process.env to read the .env file and load your API key when you need it. Keep in mind Dotenv only prevents you from uploading your key to Github, if you expose your key on an endpoint on your backend it is still susceptible to be stolen.

If you absolutely need to use an API key on the frontend, check out dotenv-webpack. As a reminder, any code that is on the frontend is inherently insecure so this should not be your first go-to.

GET STARTED WITH GOOGLE TRANSLATE API WITH 7 STEPS

1. Make a New Project

Let’s get started! Go to Google Cloud’s Console and sign in. You will need to provide billing information for your account to use any APIs. Click on the button next to the menu and a new window will appear and click on new project. And follow the instructions.

2. Make a Service Account

Next, you will need to create a service account.

From the menu, click on IAM & Admin then click on Service Accounts. From here, click on Create Service Account at the top of the page and follow the instructions.

Once your service account has been created, click on your service account and click on the Keys tab. From here, you can add a new key as a JSON type which is recommended.

3. Save Key on Local Machine

Save your key locally and NOT in your project directory. This JSON file should be treated as a password.

4. .env & gitignore

Install dotenv on your project by running

npm install dotenv

then create a .env file in the root of your project.

Be sure to add .env to your gitignore file! So your key does not get pushed to GitHub.

In your text editor, open your key that is a JSON file that you just saved. Set a variable in your .env file and paste your key as the value. Be sure to check if your quotation marks were not set to a special character that can happen sometimes from copy and pasting. You can also remove any lines in the JSON object if this causes any issues reading the variable properly.

5. Set Quota

Back in Google console’s menu click on API & Services, followed by Dashboard.

Next, click the API you want to throttle and in the menu, click on Quotas.

I recommend going through all services and toggling all but the ones you need to use down to zero. For this tutorial, we are only covering Google Translate API v2 and v3 general model characters. Expand the menu, and throttle the calls to the amount that you like. Since the monthly free tier is set to 500,000 per month, I recommend setting the quota to 16,000 so you won’t exceed the monthly limit.

6. Example Code on Backend Route

If you have not installed Google Translate API, run

npm install — save @google-cloud/translate

The code below shows an example of requiring Google Translate API and dotenv, getting our key from our .env file (reminder! .env should be in our gitignore file!), a new client is instantiated from Google Translate with the credentials passed with our key in it, and finally the API call is made in the post route.