Forum Stats

  • 3,751,478 Users
  • 2,250,366 Discussions
  • 7,867,435 Comments

Discussions

Hide API_KEY in Plugin JS Code

user5764131
user5764131 Member Posts: 17 Green Ribbon
edited Feb 22, 2021 1:43PM in APEX Discussions

Hi,

I created a Dynamic Plugin to get JSON DATA from an external URL. All is working fine. Unfortunately the URL to get the data contains the API_Key to access this API and every user of my application can see this URL with API_KEY in the Browser developer tools. I have to avoid that.

I thought I can switch to PL/SQL and get the data via "apex_web_service.make_rest_request" but that doesn't work because of the server certificate is not in the Oracle wallet.

Is there another way to hide the API_KEY and not adding the SSL certificate into the wallet?


Thanks,

Carsten

Answers

  • Billy Verreynne
    Billy Verreynne Software Engineer Member Posts: 28,570 Red Diamond

    If your code requiring the key is run by a web browser, the web browser needs to know the key.

    The alternative is to execute the code on trusted server-side platform. Be that on the database or a NodeJS server.

    As for not wanting to use SSL - nonsensical to now transmit the secret key over unencrypted HTTP should the web service support this.

    user5764131