What is the best way to hide your API endpoints in an electron app?
As one can always and check code of your electron app like this.
So what is the best, recommended approach here?
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (12)
I'm not sure there's a way, I could just setup a proxy or a network logger on my computer and see where your app connects to.
Why do you need to hide the endpoints?
A possible solution is to proxy your endpoints through a server
Let's say I'm using an API from UNSPLASH. They give me two keys. I use a "dotenv" file to store these as environment variables. Even If I make a build of it, that .env file will be in my app folder and hence that will be exposed to users.
Think about video games and how well DRM has worked preventing users seeing the insides of shipped games.
You could obscure your code and endpoints but nothing you ever give to your clients will be truly "hidden" from them.
The more you obscure, the more of a fun challenge you'll give to a reverse engineer!
Another option would be to build it such that you request the end user to create an Unsplash API key, configure it in your application and use that instead.
That's right, this will work if the user has an Unsplash account which may be they don't. Thanks for suggesting though.
So I have to make a server where the code for Unsplash API will work and set env variables there?
But what if it's an open source product and there is no way to monetize it. What then? 🤔
I think your best bet is to have a server. Your app calls this server and the server calls Unsplash and other APIs and returns the data.
Open source does not mean you can't possibly monetize it but let'say you really can't because of something. Can you work within a free tier of some service? Things like Google Cloud, zeit, heroku have good free tiers.
You might even be able to do everything within the context of a serverless backend, writing just a thin layer.
It depends on what you're trying to do.
Free tier can be great option.
Elaborate?
I meant that if the only thing you require is to call an API and get back the result you might not need to build an entire server side application, it might be enough to call a serverless function and let it do it for you.
For example, in this post @didil explains how you might go about writing an API to resize images. In his case he's using a Go library that processes the image but if he wanted (just for our sake) to call Cloudinary's service instead, he would call that, leaving Cloudinary's keys on the server.
Image Resizing with Go and Cloud Functions
Adil
Zero servers manually configured.
There's a lot of content here:
#serverless
One way is to install api gateways and allow it to act as a middle man to proxy your API services. You can look at Kong API gateways to help you in that. Hope it helps
Damn !!