I'm thinking about developing a single-page application (SPA) that will allow public access without requiring user signups or account creation. The app will utilize a third-party API that provides public domain data, like currency exchange rates and global temperatures. Here's how it will work: each visitor will need to sign up for their own API key, input that key on my web page, and then click a 'go' button. My app will use JavaScript to make API requests with their keys directly, handling pagination and rendering results in a table. Since my web app doesn't have its own back end, all the traffic will be between the user's browser and the API. I've written a privacy policy to inform users about this, but I wonder if there are any security dangers in this setup. Specifically, is it safe to let users save their API keys in session storage as plain text?
5 Answers
What does the 3rd party API's terms of service say about your use case? It's key to understand their guidelines to avoid any violations, especially with sensitive data.
If the API allows all CORS, it seems like it's okay for the key to be displayed in the browser console. However, be cautious about exposing paid tier keys. Rate limiting might be an option they have based on usage which could become an issue if those keys leak out.
Not an expert, but since your app has no backend, I don't see too much risk in exposure as it relates to credentials. But you should consider implementing rate limiting to manage potential abuse from users or bots making excessive requests.
As long as the API you're using is secure and you're only sending the API key to that API over HTTPS, there shouldn't be any major concerns. However, users might hesitate to trust a random site with their keys. Just make sure that the 3rd party's terms of service allow this kind of usage. Also, keep in mind that session storage is generally fine, but it's ultimately the user's responsibility to ensure their key isn't leaked.
Yeah, I agree! But just to add, make sure your users are aware of the potential risks of using their keys.
That’s right! It’s crucial to communicate clearly how their keys will be used.
As long as you clearly communicate how and where the API key is stored, you should be good. Just know that there's a risk if users recycle API keys that they care about. What kind of functionality are you planning to implement with your app?
I'm thinking of building a tool for comparing currency rates. Would that be a reliable use case?
Good point about rate limiting. It could help safeguard against unexpected spikes in traffic.