Cover Your API Keys With an API Proxy Server


Web Development

In this report/tutorial, we are likely to make an API Proxy Server applying NodeJS, and the major explanation driving this is to show you how to hide general public API keys and not expose them in the general public like I was accomplishing in the past. All of us have created an software once just to get to know a new library or a framework, and the finest way to obtain this is to use an open up API (like TMDB).

Most of these open up APIs need introducing the API important in the request URL or in the headers just before earning the ask for. Possibly way, the API key can be stolen and made use of by people today that are not in fact possess this vital. As a outcome, you may possibly stop up with a suspended account, or your software not operate as you’ve got expected it to.

Don’t forget this: The API keys belong to the server aspect of your application.

With no even further chatting, let us make this API Proxy server. For the sake of this posting/tutorial, we are heading to use Weather API.


Right before begin coding, we need to have to have the followings:

  • API essential
    Open the OpenWeatherMapAPI website, make a no cost account, go to My API keys and develop just one.
  • Primary know-how of JavaScript and NodeJS
  • Espresso

Dependencies and Scripts

Produce the application’s task folder

cd ~/Files/tutorials
mkdir api-proxy-server && cd api-proxy-server
npm init -y

Set up expected NPM deals

npm put in -S specific cors dotenv axios
npm install -D nodemon # for faster progress

Put together scripts inside bundle.json file

    "begin": "node index.js",
    "dev": "nodemon --config nodemon.json"

Let’s acquire a glimpse at the project’s folders and documents just to have a clearer impression of the composition.

├── src
│   ├── utils
│   │   └── env.js
│   └── routes
│       └── index.js
├── bundle.json
├── nodemon.json
├── index.js
└── .env
3 directories, 6 data files

Build an index.js and a nodemon.json file at the root of the challenge.

// nodemon.json

  "verbose": real,
  "ignore": ["node_modules/"],
  "enjoy": ["./**/*"]

Prior to we start enhancing the entry (index.js) file, we want to develop two other helpful information. The initially a person is the .env file the place all of our environment variables are living. It is really likely to be a bit reusable in purchase to be able to use it with other community APIs besides OpenWeatherMap API.

API_PORT = 1337
API_Foundation_URL = ""
API_Crucial = "1d084c18063128c282ee3b41e91b6740" # not basically api essential use a legitimate just one

And the other file is the src/utils/env.js which is dependable to study and export all the setting variables.

have to have("dotenv").config()

module.exports = 
  port: Number(course of action.env.API_PORT) 

Now it is really time to edit the main file and include some logic to this proxy server software.

// imports
const convey = have to have("categorical")
const cors = involve("cors")
const env = require("./src/utils/env")

// Application
const application = express()

// Middlewares
app.use(convey.urlencoded( extended: true ))

// Routes
application.use("/api", demand("./src/routes")) // Each individual request that starts with /api will be dealt with by this handler

// This route will cope with all the requests that are not managed by any other route handler
application.all("*", (ask for, reaction, next) => 
  return response.position(404).json( message: "Endpoint not located!" )

// Bootstrap server attention(env.port, () => 
  console.log(`Server is up and running at http://localhost:$env.port`)

Points here are incredibly uncomplicated it can be a essential ExpressJs server software. On the leading, we’ve bought the necessary imports. Then we have some required middleware, these as the JSON middleware, which is accountable to parse incoming requests with JSON payloads and is primarily based on body-parser. Subsequent, we have the routes where right here we manage the endpoints and their handlers. And lastly, we have obtained the bootstrapping of the server.

Let’s just take a search at the handler of the /api route.

{&#10 check out catch (error) 400&#10 return reaction&#10 .position(statusCode)&#10 .json( information: “Lousy Request”, aspects: …details )&#10 &#10})&#10&#10module.exports = router” information-lang=”textual content/javascript”>

// server/src/routes/index.js
const router = have to have("specific").Router()
const  default: axios  = call for("axios")
const env = need("../utils/env")

// [GET] Recent temperature info
router.get("", async (ask for, reaction, subsequent) => {
    const query = ask for.query  capture (mistake) 

module.exports = router

The GET ask for handler operate is having as inputs the question fields that we have presented when we contact it.

For case in point, if we didn’t have this API Proxy server, our request would glance like this conditions?q=Thessaloniki,Greece&appid=API vital, but now that we have bought it, our ask for seems to be like this http://localhost/api?q=Thessaloniki,Greece. There is no will need to insert the needed subject appid since the proxy server adds it by itself as a ask for parameter. We spared not exhibiting the API crucial while we make the request on the OpenWeatherMap API.


The main thought is to conceal your public API keys driving an API Proxy Server in order to stop buyers to steal your keys. To achieve this, it is to generate endpoints that wrap the endpoints of the precise open API delivering the API essential within the proxy server as an setting variable in just about every request that demands this vital. The evident con of this approach is that this is a time-consuming procedure and, in some cases, is not even essential.

You can get the supply code of this API Proxy server in this article.

What’s Upcoming

I was wondering to incorporate some functions to this proxy server. A person of these is to insert caching functionality in purchase to provide the facts that was recently requested more quickly. The other 1 is to increase a price limiter in get to reduce people from overusing the API and crashing the server.

Fall a comment if you’ve got thought of one more alternative to disguise your API keys or if you have any suggestions or tricks to tell me about.

Leave a Reply

Your email address will not be published.