Ask HN: Securing third-party API keys within frontend in 2019

3 points

7 years ago

Hi all,

I've only been working with frontend for a few months and one thing that has me stumped is handling third-party secrets required by the app, e.g. access-tokens or API keys required for interaction with MapBox [0] or Sentry [1]. I'm only referring to client-side JS, where to my understanding any bundled secret is effectively compromised, as opposed to server-side rendered websites

While the most secure solution I've come across seems to be about having the frontend communicate with these services via a proxy, e.g., Nginx proxying requests to those services after validating the JWT token Auth0 [2] issues to the frontend client, this solution seems to be poorly supported. For example only Nginx Plus appears to support JWT validation.

Thus I'm truly curious, how do you secure your third-party secrets needed by your frontend in 2019?

[0] https://www.mapbox.com/ [1] https://sentry.io [2] https://auth0.com/

2 comments