Keeping API Keys Private in Your React Project
API keys are often called secrets, but are they still secret if they can be found on the internet by anyone, buried within the commits you’ve made to your repository while fetching data or sending requests to an API? Clearly not. So, how do we address this issue? How can we safeguard these secret keys? One straightforward method to maintain their privacy and protect your work is by using an environment variable (env).
What are API Keys?
API keys are alphanumeric strings composed of letters and numbers. To access data from certain APIs, obtaining an API key is typically required. This process often entails creating an account with the API providers. API keys function much like passwords on mobile phones. They serve as a means of authentication when interacting with APIs and are essential for retrieving data from various providers. However, it is imperative to keep API keys private to ensure the security, cost control, and data privacy of your application.
API keys are alphanumeric strings consisting of letters and numbers. To access data from certain APIs, you typically need to obtain a key, which often involves creating an account with the API providers. API keys are like passwords on mobile phones. They serve as a form of authentication when interacting with APIs and are crucial for accessing data from various providers. However, it’s essential to keep API keys private to ensure the security, cost control, and data privacy of your application.
Why Keep API Keys Private?
There are three main reasons for using API keys:
1. Security: This is the primary reason. API keys are kept secret to prevent unauthorized access to your API or services. If an API key falls into the wrong hands, it can be used to make unauthorized requests, potentially compromising sensitive data or disrupting your services.
2. Cost Control: API keys are often associated with usage limits and billing. If someone obtains your API key and uses it maliciously, you could incur unexpected charges or exceed your API usage limits.
3. Data Privacy: If your API deals with sensitive or personal data, a breach due to exposed API keys can result in a violation of data privacy regulations, leading to legal and reputational consequences.
Securing API Keys in Your React Project
Here are the steps I recommend:
1. Start by installing the `dotenv` package from the terminal using the command below:
npm install dotenv --save
2. Create a `.env` file. This file must be at the root of your project as seen in the GIF below:
3. Create a variable with the format below and assign the key to it:
4. Next, use the key in your project by calling `process.env.REACT_APP_API_KEY`.
5. A very important step is to restart the server if it was initially open.
npm start
Without this, the key would be inaccessible and thus, read as undefined.
6. Finally, add the `.env` file to your `.gitignore` file to prevent the file from being added to your commit.
Voila! That is all there is to do. Your security is guaranteed. I hope you found these steps helpful. Feel free to leave a comment and tell me what you think. Do you know an alternative method to keep API keys out of your GitHub repo?