5

If I were to build a Twitter or Facebook application using pure client-side technologies like HTML and javascript, how would I mask/hide my API keys?

For example, for Twitter I have consumer key and consumer secret. In order for me to call Twitter's API I'll have to pass these keys to authenticate my app. If I am using pure client side technologies, I leave myself exposed. Therefore, the API keys are up for grab and anyone can authenticate as my app. How can I prevent this? Can I prevent this at all?

This question is very similar to this thread, however, it's not a desktop application.

Community
  • 1
Sai
  • 151
  • 5
  • `If I am using pure client side technologies` In a client-server model, it doesn't make sense to use only client side technologies. As @Morons writes, it can't be done. Any reason you are not using anything server side? – yannis Dec 06 '11 at 06:25
  • Frankly, we're are the API provider, rather than the API consumer. We are trying to figure out the easiest way we can allow our consumers consume the API. Trying to figure out how much knowledge will the consumers have to have. The less they have to, the better. – Sai Dec 06 '11 at 16:17
  • You should have included that info in the question. It wouldn't have made much difference for this question, but you should be as detailed as you can be, and definitely tells us from which perspective you approach the issue. – yannis Dec 06 '11 at 22:47

1 Answers1

7

The nature of HTML and Javascript is such that the client has access to all the code.

What you are trying to do is like trying to build an HTML website while securing the HTML code from theft.

This simply can't be done.

yannis
  • 39,547
  • 40
  • 183
  • 216
Morons
  • 14,674
  • 4
  • 37
  • 73
  • I was afraid of this answer, however, I figured I'd ask in case someone has some fancy tricks. – Sai Dec 06 '11 at 16:13