An Easy Way to Manually Hide an API Key in a Simple Rails App
Why It’s Important to Hide API Keys, How to Do It, and What to Do If They’ve Been Exposed
Why bother hiding your key?
An API can be entirely free to use, it can be based on a freemium model and free to use up to a certain point of metered usage such as number of API calls per month, or entirely paid. In any of these cases, the organization managing the API will typically monitor each API key it issues to prevent abuse, meter usage, and calculate billing. Even an API that is free to use would not want anyone to flood its service and overwhelm its servers. Freemium APIs want to monitor individual keys to determine if you’ve exceeded the free tier usage, and paid APIs want to know exactly how many calls each key has made so they can bill the user. If your key is exposed, say you commit and push your app to your public GitHub repository along with your key, anyone in the world can now see that key, copy it, and use it themselves. At the very least, this could cause your key to become invalidated by the issuing organization because they may suspect abuse, or worse, the rogue actor could rack up serious charges on your account that you will be liable to pay for.
How do I hide my API key?
There are several ways to do this, including storing environment variables in a file using the dotenv Ruby Gem, but for a simple Rails app where you only want to hide an API key, here’s an easy step-by-step guide to get you up and running in minutes. Do not Git commit or push until you’ve completed step 2!
- Create a file in your Rails project root directory that starts with a period (commonly called a dotfile and is hidden). For example
.api_key.rbor.spotify_key.rb, or anything that’s explicit and recognizable to anyone who may be involved in the development of the app. Add a global variable to this file that stores your API key:
2. If your Rails project is set up correctly there should already be a .gitignore file in the project root directory. Add the name of your key file to the end of .gitignore (see line 31):
3. Now when making an API call with the API endpoint, you can use string interpolation to input the obfuscated API key with the global variable you created instead of exposing the actual key. In the below example, I’m using the Spoonacular API to pull 100 random recipes from their database. In whatever Ruby file you’re making the API call, make sure to require_relative with the relative path of the hidden key file we created above, as in line 1 below (your relative path may be different). Notice at the end of line 3, instead of typing the actual key, I’m using the interpolated global variable in the hidden and Git-ignored key file I created earlier:
I’ve exposed my key! Now what?
If you’ve already pushed your API key to a public GitHub repository, you must assume it’s compromised no matter how short a time it was available for others to see before you removed it. APIs like Spoonacular used in the above example offer an easy way to invalidate and replace an existing key with the press of a button in your account profile, although other APIs don’t make it so easy, or at all possible. Spoonacular and others make it easy to mitigate the situation if the compromise was caught early enough that a rogue actor did not use your key to rack up charges or flag your account for abuse. You simply replace your key. If your account has already been flagged and frozen, or worse if you are responsible for hundreds or thousands of dollars in charges, you will have to work with the customer service team of the organization to attempt to resolve the issue.
