If you are building mobile apps then you are connecting to some REST API. For example, if you want to resolve an address to a latitude/longitude information to display on a map, you might use the Google Geocoding API:
A good solution is to never expose the API key (or any other sensitive data) on the client. How do you do that? You keep the API key and any other sensitive information on the server.
Appery.io Secure Proxy (part of Backend Services) enables app developers to keep sensitive app data on the server. Your API keys or any other data is never exposed on the client. Watch this 5-minute video on how to use Secure Proxy:
Before using the Secure Proxy, you need to store the data on the server. To store the data you are going to use the Appery.io Database. It’s as simple as creating a collection with two columns. The first column is the value name, the second column is the actual value. This is how the database looks when storing the API key for Google Geocoding API:
As this key is stored on the server, no one (but you) has access to it. You can store other data as well such as URLs, tokens or anything else that shouldn’t be exposed on the client.
The next step is to setup the proxy that will use the information stored in the database. This step is also very simple, this is how it looks:
You give the proxy a name and then link it to a database which stores your data. The above proxy is linked to Secrets_db database, Credentials collection, and secretName, secretValue columns.
The last step is to link a REST API service to the proxy. In the service editor you select the secure proxy created:
then in the Request tab you reference the API key stored in the database (the name stored in secretName column):
and that’s it.
When the API service is invoked, the call will go through the secure proxy (server) where the API key will substituted:
For web apps, you can add an extra layer of security by specifying from which page URLs the proxy should accept requests:
The proxy will only accept requests from page URLs listed in the table.
Another option to keep API keys private is to invoke the API from the server using Server Code, I will cover this in another post.
Setting up an using the Appery.io Secure Proxy is simple. It provides a very important feature by allowing to keep sensitive and private data on the server, never exposing it on the client, and adding an extra security layer to your app.