What is a javascript API key when it can be seen by anyone looking at js code

Question

What is a javascript API key when it can be seen by anyone looking at js code

I have seen services like Google that require adding an API key when calling javascript, for example.

https://www.google.com/jsapi?key=thekeygoeshere

What is the point of having this javascript api key when the code can be seen and the key can be read. Can't someone just copy this key and use it for their site? Or is there something else they do in the background to ensure that the key belongs to the site that is causing the call?

+6

javascript jquery security api

zmol Feb 05 '11 at 14:06

source share

2 answers

The google code will use AJAX or something similar that will make a call to your server, detailing your key, and the URL of the site on which it is used. Then Google can check if its correct site does not match for this key and stop working with the code.

Although the map API works on any site with any key.

0

gunwin Feb 05 '11 at 14:12

source share

Quentin · Accepted Answer · 2011-02-05T14:10:00+0000

Presumably, they check the referrer HTTP header.

Most users send it. So, if there is:

The site corresponding to the key can work as usual.
A site that does not match the key may reject the request.
Blank , they can work as usual and allow a tiny fraction of people to use the API on the wrong site.

Most site visitors using the wrong key will be blocked, so you should not use the wrong key on the site in the first place.

What is a javascript API key when it can be seen by anyone looking at js code

More articles: