should I keep my geocode api key a secret? - javascript

I'm working with the geocoding api from google. I'll be hitting the following endpoint with ajax like so...
$.ajax({
url: https://maps.googleapis.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway,+Mountain+View,+CA&key=MY_API_KEY,
success: function(data) {
console.log("yay");
}
})
Is it safe to add my api key directly into my javascript? This means it will be viewable from my website and also on source control. What precautions should I take?

No, you should absolutely hide your API key(s) from the client and source control. A malicious user could use the key to exhaust your quota, making your application potentially unusable.
To avoid this, create a server which fetches the data from the API and then serves it to the user. Additionally, you should apply rate limiting, to prevent users exhausting your quota through your own application.
For more information, see this support article.

Consider also using the Geocoding Service in the Google Maps JavaScript API. When loading the JavaScript API, make sure to use an API key that is restricted to your website.
Remember that results from the Google Geocoding services must be displayed on a Google map (see 10.4.d and 10.4.e).

Related

Downloading Google Analytics Data By Client_id

I'm allowing users of my site to download their google analytics data at their free will for transparency sake and I don't want to deal with CCPA requests for data myself.
I'm using Node.js as my backend and was wondering if it's possible to download google analytics by client_id. I'm using a service account for my google console access.
If there's some documented api endpoint that I'm not seeing that would help a lot.
Sure you have, it came in for that purpose
The User Activity API allows a Google Analytics property owner to
retrieve all analytics measurement data associated with a single user.
Specifically, the API retrieves all of the measurement data associated
with a particular User ID or Client ID.
https://developers.google.com/analytics/devguides/reporting/core/v4/user-reporting

Accessing Google Analytics Data With API Key Only

I'm trying to use Google Analytics API in Javascript. I want to:
Query Data for a specific website (under my control)
Use the data to build an open-to-the-public dashboard
Every example I can find requires you to use OAuth to authenticate before you can query data. Because I only want to query (not delete/modify), is there a way to use a simple API Key to grab the data I need?
Yes and No. The Google Analytics Core Reporting API is an Authenticated API and requires the use of OAuth2, authorized with the appropriate scope:
https://www.googleapis.com/auth/analytics.readonly
The API key simply identifies your Google Project, it does not necessarily grant you authorization to read the data of your Google Analytics Accounts, even if that account is associated with the same Google Login. The API key is usually public and lives on the client browsers, it would not be secure to grant access to anyone's Google Analytics Account data simply if they had access to a particular key.
What you are going to need to do is use a service account to access the data. Take a look at the Google Analytics Demos and Tools site. There they have a really good example example of using a service account server side to generate an access token and then has the JavaScript Client library make the final request. Alternatively you could build something akin to the Google Analytics Super Proxy which can query the API on your behalf and generates a public URL which can then be queried separately.

API calls from Google Spreadsheets?

OBJECTIVE
I want to retrieve JSON(P) data from tools I use (Quickbooks, Zoho, etc.) for custom reporting in Google Spreadsheets. Object Parameters (e.g "Account.name", "Account.birthday") would be listed across Row 1 in Spreadsheets and data would be dumped into the columns.
I know I can run javascript scripts in Google Spreadsheets via their script editor and I know some javascript - at least enough for array and object manipulation (not familiar with APIs)...
QUESTION
I think I can make JSONP requests for x-domain API requests (via
HTTPS) - am I correct?
For private APIs, I'll have to pass in an Private API Token - can I
prompt a user to insert their API key and then make a request? As a
result, no API keys will be stored permanently. Is this okay?
I'm pretty sure I've seen some websites that have API keys in their URL (soundcloud?) - I thought that having visible API keys is dangerous (someone can steal your key and abuse the company's servers). Am I wrong in my thinking?
Once again, I am fairly new to programming so feedback (and reading resources) would be greatly appreciated!

YouTube API Key Security - How worried should I be?

I'm getting ready to launch an Angular/Node web application which uses the YouTube V3 API. The app was released about 3 weeks ago as a "beta version" for market validation and was pretty successful in beta. It's not going to be a commercial success, just a fun app that makes peoples lives a little bit easier. I have one issue/concern, should I be hiding my YouTube V3 API key, client id, and scopes? Or can I assume that since only my domain name is whitelisted, that the potential hackers/people who try to use the API key, won't be able to make any calls or do any damage so therefore I have nothing to worry about?
These are the specific calls I'm worried about (not the real ids/keys)
Index.html Script Tag
var OAUTH2_CLIENT_ID ='_#H#RJHWEJFHEFUIEHFUHEFHEJFU.apps.googleusercontent.com';
var OAUTH2_SCOPES = ['https://www.googleapis.com/auth/youtube'];
In Angular, Controller.js
.value('google_api_key', 'jfasdkjfdnstnewurweqjtndi')
gapi.client.setApiKey(google_api_key);
For Simple Access to Google APIs, API key is the only credential required for the request, and it is a unique identifier of your app/project. It provides API access and is subject to quotas.
You should keep it a secret!
If you have a client-side-only app (without a server), then use OAuth 2.0 Client-side Flow
From Google's Documentation:
Best practices for securely using API keys:
When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To keep your API keys secure, follow these best practices:
Do not embed API keys directly in code
API keys that are embedded in code can be accidentally exposed to the public—for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree.
Do not store API keys in files inside your application's source tree
If you store API keys in files, keep the files outside your application's source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub.
Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them
By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the Google Developers Console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key.
Delete unneeded API keys
To minimize your exposure to attack, delete any API keys that you no longer need.
Regenerate your API keys periodically
You can regenerate API keys from the Google Developers Console by opening the Credentials page and clicking Regenerate key for each key. Then, update your applications to use the newly-generated keys. Your old keys will continue to work for 24 hours after you generate replacement keys.
Review your code before publicly releasing it
Ensure that your code does not contain API keys or any other private information before you make your code publicly available.

YouTube API difference between API Key and Developer Key

I'm having some issues understanding the differences between an API Key and a Developer's Key when it comes to utilizing the YouTube API.
My application is using the restful requests in v3 of the Youtube API and I can set an API key via the gapi.client.setApiKey() function , which I have done during development, but when I was looking at the quotas, https://groups.google.com/forum/?fromgroups=#!topic/youtube-api-gdata/e1JDQ4lqbXU, it states that they are tied to a developer key instead and that the developer key should be sent with each request. I went ahead and got one for development purposes, but I'm not sure how they interact with each other.
I also didn't find any details on how to send the developer's key with each restful request (such as gapi.client.youtube.channels.list), only how to include it in the header or query string when making a regular get request.
Can someone help me understand the difference between the two, how they are related, whether I need both, and how to use them in restful requests, or if I need to switch to regular get requests?
Sorry for the confusion.
"Developer keys" refer to keys that worked with v1 or v2 of the YouTube Data API. You can obtain them here. There's a separate quota system in place for v1/v2 and yes, developer keys do come into play there.
"API Keys" refer to keys that you use when making unauthenticated requests using v3 of the YouTube Data API. (If you're making an authenticated request, you don't include an API Key, since the OAuth 2 client id/secret identifies your application.) You get an API Key that you could use with YouTube from the Google APIs console, after turning on the YouTUbe Data API v3 as one of the Services you're using. Quota in v3 is tied to your API Console project, and your API Key identifies which project you're using.
The takeaway is that if you're making unauthenticated YouTube Data API v3 calls, you should only include an API Key from the Google APIs console in your request. If you're using the JavaClient library, that's done via gapi.client.setApiKey().

Categories

Resources