| ▲ | thedangler 9 hours ago |
| Also, can't you tie a key to a domain or IP address to help stop unauthorized usage? |
|
| ▲ | littlecranky67 9 hours ago | parent [-] |
| Not if its publicly called from Javascript, as your user's browser will make those requests. You neither know their IP addresses, nor is the referer or origin header a safe choice as it can be spoofed outside of a browser. |
| |
| ▲ | lucavice 9 hours ago | parent [-] | | If it's called from Javascript in the browser, it's not a secret API key.... | | |
| ▲ | shakna 8 hours ago | parent | next [-] | | Which is why Google calls it a public API key... | |
| ▲ | littlecranky67 8 hours ago | parent | prev [-] | | there are plenty of API keys distributed like this by design. For example, google maps requires this, else your (anonymous) users can't use an embedded google map on your website. And a public firebase app needs some kind of API key, too. |
|
|
