Security for API keys

  • robertg5128-1351176849853776006

    RobertG

    1 month ago

    I'm confused on the proper security procedures forAPI keys. All the examples for Supabase (Such as this auth example: https://toddle.dev/projects/erik_auth/branches/main/components/LoginPage) have you passing the API key as part of the header. But in another thread (https://toddle.dev/forum/Where-to-save-the-Stripe-secret-key) I saw someone recommend against using Toddle to call Stripe because, since it's on the client, someone could steal your key. Why is one situation secure and the other isn't?
  • lucasg-1351181301516075018

    Lucas G

    1 month ago

    These are two different types of keys
  • lucasg-1351181674670460988

    Lucas G

    1 month ago

    Supabase's apiKey in this scenario is it's client-side key which is fine to use anywhere and requires an authentication header to be used
  • Supabase's secret key cannot be used client-side as that key can do anything
  • Same goes for Stripe's key for server-side calls
  • robertg5128-1351193091918401640

    RobertG

    1 month ago

    So, tldr you can use Supabase safely, but not Stripe because it doesn't have a client-safe key?
  • lucasg-1351193258948169768

    Lucas G

    1 month ago

    You can use supabase's anon key safely
  • The anon key is restricted in scope. Assuming you have auth headers and RLS in place, users won't be able to make changes they shouldn't be making (e.g., delete other user data). If you don't have these things in place then users can still make those changes.
  • lucasg-1351193735152799895

    Lucas G

    1 month ago

    The service you are using will tell you if it's safe to use the key client-side or not
  • Supabase for example makes this clear when you try to use the service key
  • The main thing to note is the scope of the key
  • What can the key do?
  • That will tell you if it's safe to use client-side
    👍1