Geek Answers Handbook

How to store API keys in a Python application?

In my case, I am using the Dropbox API. I currently store the key and secret in a JSON file, so that I can gitignore it and save it from the Github repo, but it’s obviously not better than having it in your code from a security point of view. There have been many questions about protecting / obfuscating Python before (usually for commercial reasons), and the answer is always "Do not, Python is not for this."

This way, I'm not looking for a way to protect the code, but just a solution that will allow me to distribute my application without revealing the details of my API.

+7
source share
3 answers

Plain text. Any attempt to obfuscate is useless if the code is distributed.

+2
source

I do not know if this is possible in your case. But you can access the API through the proxy server you are using.

Requests from the Python APP are sent to the proxy server, and the proxy server executes the requests in the Dropbox API and returns a response to the Python application. This way, your api key will be in the proxy server on which you are hosting. Access to the proxy server can be controlled by any means that you prefer. (E.g. username and password)

+2
source

There are two ways, depending on your scenario:

If you are developing a web application for end users, just place it so that your API key is not disclosed. Thus, keeping it gitignored in a separate file, and only uploading it to your server should be fine (as long as there is no violation on your server). Any obfuscation will not add any practical benefit, it will simply give a false sense of security.

If you are developing an infrastructure / library for developers or a client application for end users, ask them to create their own API key.

+1
source

More articles:


All Articles