This really highlights why you really should avoid giving frontend programs access to your API keys and other such tokens and always route requests via your backend.
You give access to your API keys and other secrets to the frontend and literally anyone can see them.
You should
1) Better block out your API key from your screenshots
2) Remove it from your example code
3) Get NASA to invalidate that one and issue you a new one
Edit: I guess the example codes use some demo key, that's probably fine. The screenshot is still easily readable.
Front End Engineer and web dev community builder based in DC. Loves to learn new tech, share knowledge, and host/plan tech events. Organizer for WWC DC, GDG DC, and Angular DC. Lives with two pups.
This is not an issue if API tokens are restricted by domain.
There is nothing wrong with accessing the API from the frontend on its own. In some cases, it's even better (eg. when you don't want to put too much load on the backend, or you don't need to log metadata about these requests)
However it is true that more information is exposed, thus some thought should be put into how this can be abused, and how to prevent that.
When you say "the API" you probably very specifically mean this API specifically, there's a lot of other APIs that would require you to actually keep your credentials secret, when they e.g. result in billing events. This is why it's a good practice to avoid doing things like this on the frontend.
If your requests are causing too much load on your backend, just think what you're doing to other peoples' backends. Logging etc. is of course configurable, by you.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
This really highlights why you really should avoid giving frontend programs access to your API keys and other such tokens and always route requests via your backend.
You give access to your API keys and other secrets to the frontend and literally anyone can see them.
You should
1) Better block out your API key from your screenshots
2) Remove it from your example code
3) Get NASA to invalidate that one and issue you a new one
Edit: I guess the example codes use some demo key, that's probably fine. The screenshot is still easily readable.
The credentials have been invalidated as an extra precaution but thank you!
When you say "the API" you probably very specifically mean this API specifically, there's a lot of other APIs that would require you to actually keep your credentials secret, when they e.g. result in billing events. This is why it's a good practice to avoid doing things like this on the frontend.
If your requests are causing too much load on your backend, just think what you're doing to other peoples' backends. Logging etc. is of course configurable, by you.