Amplitude API key okay to make public?

3.5k views Asked by At

I'm hooking up my react native app to Amplitude analytics and wanted to know if it is okay to just put the raw API Key in the code. Users could look at this so could they theoretically start using the API Key and send incorrect data to my analytics? Is an API key specific to my app so that this wouldn't be a problem? I am new and just trying to find out if it is okay for me to make the API Key for Amplitude Analytics public?

2

There are 2 answers

1
kevgathuku On

In general it's not a good idea to expose your API keys publicly. Anyone could get that key and use it to send data as you, which doesn't make the analytics very helpful. If you have the option of making it private, which I'm sure is possible with React Native, you should do so. I don't know the specifics, but in general it is a Very Bad Idea exposing your keys to the public.

0
Tad Venture On

Third party libraries for analytics, logging, etc. typically have API keys that only allow writing. You should check the specifics of each library, but here is an answer for amplitude: https://github.com/amplitude/Amplitude-Javascript/issues/100

You have to expose them to the client for the service to work, so the risk of someone putting possible junk data in as the worst case scenario is seen as an acceptable trade off. I would still recommend using environment variables for them, though. Don't just put the raw strings in source control.

I can't comment, so in response to kevgathuku:

You can't "hide" things on the client. If it's on the client, it's exposed. Best you could do is obfuscate it.

The difference is if it's some API key that could live on the server, and is used in back end code. These typically have higher levels of access to the target API, and should never be included in the code. Use environment variables once again, and also ensure your page is HTTPS to prevent easy sniffing of the request.