Member-only story
Keep Your API Keys Safe
Get those important strings out of your code and into PLIST files
Many APIs require developers to provide an API key and/or API secret to be able to access the API.
This is both to identify the app that is accessing the API and to limit access to the API for apps that are known to the API.
Both the API key and the secret (if you have one) should be treated as a secret: Anyone who knows these can access and use the API, impersonating your app. This results in all sorts of security concerns: Depending on the type of API, an attacker might be able to access your application’s data, compromise your users’ data, and access information that is protected by the terms of service established between you and the service provider. They might also thrash the API, causing a large bill for you at the end of the month.
All of these are good reasons to make sure to keep your API keys and secrets safe and secure.
In this article, we’re going to look at how to make sure your API keys and secrets don’t accidentally leak to your version control system. The easiest, but also the most dangerous, way to store your API key is to define a constant in your app’s source code. You might have seen code like this:
When committing code like this to your version control system, anyone who has access to your repository can go ahead and use the API key in their app to access the API. This might not be a big deal if your code lives in an in-house repository with tight access control, but it is a huge security risk for open source projects.
The easiest way to work around this is to externalise your API key into a configuration file that you don’t check in to your repository. You can then keep the API key in a secure location (such as a password manager) and hand it out to developers on a need-to-know basis. For example, you might want to use the API key for accessing the production endpoints only on your CI/CD server and provide developers with API keys to the…
