DEV Community

Cover image for Quick way to Secure API Keys for the Frontend
Jose R. Torres for KOR Connect

Posted on • Updated on

Quick way to Secure API Keys for the Frontend

We all know that API keys and connections can not be secured on the client side of an application. Hard coding API keys on the frontend is a quick and surefire way to have your API connection shutdown, API keys stolen, and have your API provider’s bill skyrocket. So what options are there if you do not want to maintain back end infrastructure? We will explore the recommended techniques for integrating 3rd party APIs into client side applications without having to build a backend. Then we will walk you through a step by step example of integrating a private API to create a Covid 19 tracker using KOR Connect.

Ways of integrating 3rd party APIs without backend infrastructure:

Lambda image

Serverless Functions as a backend proxy (AWS Lambda):

It is often recommended to use serverless functions to hide API keys for client side applications. Then the client can use this serverless function as a proxy to call the API through a new endpoint. The developer should also incorporate CORS to identify the header origin so that only the allowed domains are calling the proxy (to prevent unwanted calls to the proxy url from anywhere). This may seem secure but CORS only verifies browser calls and can be easily spoofed or can be called from outside of the browser. A malicious actor can still run up costs with a bot and have the endpoint shut down. Further issues with this technique can arise around provisioning AWS services to support the lambda functions like API gateways, roles, and permissions between cloud services, this can be very time consuming if you are not familiar with the cloud provider.

Netlify logo

Netlify Functions (built on AWS Lambda):

Netlify Functions is a wrapper around AWS Lambdas, the main advantage to using this approach over the AWS provisioned proxy is an improved user experience and Netlify helps streamline the deployment for you. Netlify Functions remove the tasks associated with setting up an AWS account and other AWS services required to correctly integrate the API. Similar security issues persist with Netlify Functions as they do with setting up your own AWS provisioned proxy. Even with CORS setup the new Netlify endpoint can be called in unwanted ways and by unwanted agents. This leaves your API susceptible to being shut down, or having costs run up. Furthermore if you are not familiar with writing functions this could present an additional learning curve.

KOR Logo

KOR Connect:

KOR Connect is a new way for client-side web apps to integrate APIs. KOR Connect is the quickest way to secure API Keys and connect 3rd party APIs because you do not need to build infrastructure (AWS/ other cloud providers), or code functions (AWS and Netlify Functions). KOR Connect also uses AWS Lambda to secure API keys but the similarities between KOR Connect and the other options end there. The API key is secured on KOR Connect through a one click integration then a snippet containing a new public URL is copy-pasted into the developer’s code. This snippet that is placed into the frontend code contains Google’s Recaptcha V3 which is used as an attestation layer to confirm the origin of the endpoint call as well as block unwanted bot traffic. KOR Connect also has additional layers of security to further protect the API traffic from man-in-the-middle attacks. KOR Connect prevents endpoint calls from malicious actors with and without the browser, secures API keys, and blocks bot attacks. The public URL that is used in the code does not need to be hidden so this frees the developer from having to worry about API secrets ending up in the git repository, API secrets being exposed on the client, having to manually create wrappers around lambda functions, and worrying about unwanted endpoint calls being made. The current feature set KOR Connect is the best option for client-side web apps that want dynamic functionality but may not necessarily want user authentication. (Bonus it’s also free)

Now let's walk through an example using KOR Connect and Vue.js!

gif
Lets create a COVID-19 tracker. In order to do this we have to pick the API that we want to use. I decided on the COVID-19 Statistics API that uses data from John Hopkins University.

If you already have a KOR Connect account you can sign in here or you can create a new account.

Let’s start by creating an API connection on KOR Connect by clicking on the “+ Connect API” button:
Connect API Button

The connection details were all copied directly from RapidAPI. More information regarding the API connection module here.

Connection module

Done! After making the connection, go to View Details for your new API connection.

Snippets

If you want, here is a great video tutorial by Traversy Media walking you through building the site on Vue.js. (Here is the code for his COVID-19 tracker).
Note: In the tutorial he uses a public API, we will use KOR Connect to easily integrate the private API into our site.

Now, all you need to do is grab the Secure URL and Public API Key provided by KOR Connect and use them to make an API request. Here's an example of the fetch request.

fetch("<YOUR-SECURE-URL>", {
    "method": "GET",
    "headers": {
        "x-rapidapi-key": "<YOUR-PUBLIC-API-KEY>"
    }
})
.then(response => {
    console.log(response);
})
.catch(err => {
    console.error(err);
});
Enter fullscreen mode Exit fullscreen mode

It was as simple as that, now your API integration works without any additional libraries or configurations.

If you're interested in adding even more security through an attestation service keep reading.

Additional Security

Let’s take a look at how KOR Connect provides an additional layer of security. Follow along if you would like to implement Recaptcha as an attestation layer amongst other security features.

You will have to navigate to the Additional Security section within the View Details of your API connection.

Additional_Security

Then you will have to turn on Additional Security. When Additional Security is turned on, the Security Type should read Single URL + Additional Security.

Toggle_additional_sec

Now, scroll down to the snippets section and depending on what framework you are using for your project, you will add the corresponding snippets of code to your project. We will be walking though this Covid19 tracker API integration using VueJS.

Vue_snippet

Take a look at the following snippet:
Snippet box

This is how to integrated the snippet into your project:

Modified snippet

Note: the KOR Connect URL is modified with the paths I received from RapidAPI. For example, to get the total Covid cases I need to add this to my base URL:

Path

All the paths available in the API you are using can be appended to the KOR Connect base URL (secure URL).

Now, all of the API calls are made to the public URL that KOR Connect provides. KOR Connect will act as a proxy to authenticate as well as send the API information. Furthermore, thanks to reCaptcha V3 (which is implemented automatically) and additional layers of security, several malicious attack vectors are blocked which enhances KOR Connects security.

Finished site

With permission, this blog references this Covid 19 tracker blog post made by Rodrigo.

Here are a few for more cool project tutorials using KOR Connect:

Connecting the YouTube API to download music without a backend on Angular

Setting up a Gif generator API with on Reactjs

Integrating a real time currency exchange rate calculator API - HTML

Discussion (2)

Collapse
mary_white profile image
Mary White

Yes! I use this tool to give dynamic functionality to my landing sites by easily connecting 3rd party APIs. It takes the guess work out of having to spin up my own backend because I don't have to do that and saves a lot of time.

Collapse
johnny93u profile image
John Uil

This is a different approach. I tried it out and it really simplifies many things, I don't have to worry about my API secrets in the git repo or on the frontend, I also don't need to bring up a backend for API integration. This saved me time, works well with APIs especially if you don't want user login (there are not many security approaches for APIs used in this way).