Securing API requests from Javascript

Question

I've got a javascript front end and I need to make an API call to a 3rd party API requiring an API key. I'm fairly certain there is no way to actually secure that key if used in the javascript code since anyone can find it if they try.

I have also read other similar questions where the top suggestion is usually "make the request from the server side". That makes sense, as nobody will see the API access key, but what I DON'T understand about this solution, is if I make a call to this new intermediate layer API that can still be discovered by someone looking through the browser....so while they can no longer discover my API key for the API I'm trying to access it - they no longer NEED it because the intermediate layer simply adds the key for them and forwards on the request. I've essentially created a way to access the 3rd party api WITHOUT using a key.

(Javascript -> Makes Request to new API with no key -> New Api -> Makes request to 3rd party API with key -> New API returns results to Javascript)

Am I missing something here? How is that more secure? Isn't there some other step required to secure it? I've tried to find a concise answer in similar questions but no luck thus far.

Thanks.

Answer 1

If you want to limit potential abuse of your server's endpoint which relays requests to the true API, you can use things like authentication tokens tied to an individual user's account which expire after a certain amount of time. If you find that a particular user is using the API much more than is normal, and it's causing problems for you, you can look into it and remove their permissions to hit your endpoint if needed.

If you don't want to require any authentication at all for the API, keeping the API key on your server can still help you because it'll let you tweak the logic later as needed, without compromising the key now . For example, you might later decide to add an authentication layer to your endpoint (and if your key was exposed before then, you'd probably regret it because you'd have to get a new key).

Keeping the key private could also be a requirement of the API's TOS.

Answer 2

You are making a request to the 3rd party API with some purpose. This purpose needs to make sense for the user of your application, with whatever business logic restrictions that should be in place there.

If you straight up proxy an API request through your own server and add an API key, then you are right... this is similarly bad than just having an API key in the frontend.

But you shouldn't do that. Your intermediate layer isn't just responsible for hiding the API key, it also controls exactly what API can be called and with what parameters, and under the specific conditions that you want to allow this.