API Key Domain Restrictions

  • 1
  • Question
  • Updated 8 years ago
I'm wanting to host a site that is client-side code only (html/js). I don't see any domain restrictions for the API key that I signed up for. What is to prevent someone from looking at my JS source and using my key on their site? Is there a secure way I can make API calls from Javascript without running this risk?
Photo of nwitte


  • 1 Post
  • 0 Reply Likes

Posted 8 years ago

  • 1
Photo of Brendan Hayes

Brendan Hayes, Official Rep

  • 962 Posts
  • 124 Reply Likes
I know that sites have been able to hide the key, but I don't know the specifics of how. Such as http://www.thedailybeast.com/

One way I've heard is to have a php proxy page to pass information to and then to the API key, since you can't view source on php code.
Photo of afelicioni


  • 227 Posts
  • 43 Reply Likes
IMO you can't fully hide your key when coding in javascript to call WU api methods.

As written by Brendan you can use "proxying" methods to avoid full disclosure of the key itself, allowing clients to make calls via your "middleware"; this is also useful if you need to change something in api call and leave the javascript side as is.

Some hints could come from projects that handle document referrer values via whitelisting; but in the end you must decide if it's worth since it's not always a winning choice (referrer are sometimes blocked or forged).

Anyway I must not recommend about The Daily Beast website way, since anyone is able to see the call to api.wunderground.com with key in clear, just using simple web developer tools like firebug