<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"><br></div><div dir="ltr"><blockquote type="cite">El 18 ene. 2021, a la(s) 08:22, Jean-Baptiste Mardelle <jb@kdenlive.org> escribió:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span>Hi all,</span><br><span></span><br><span>For Kdenlive, we are planning to expand the use of online services to download </span><br><span>ambiance music or videos for use in personal projects. To this purpose, most </span><br><span>online services provide us an API key that is used to identify our app </span><br><span>(Kdenlive) when querying their API.</span><br><span></span><br><span>Does anyone have experience / advice on how to protect these API keys so that </span><br><span>they are not publicly available ? Is there any KDE online service or framework </span><br><span>helping to achieve that ?</span><br><span></span><br><span>Thanks in advance for your help,</span><br><span></span><br><span>Jean-Baptiste Mardelle</span><br></div></blockquote><br><div>Protecting an API key on a locally-running application is impossible even for a closed source app. It's equivalent to the impossible task DRM intends to achieve (hiding the content decryption key from the user while decrypting content on their computer). If you give the application to the user, as opposed to running everything in a server, the key *will* be publicly available.</div><div><br></div><div><a href="https://invent.kde.org/pim/kdepim-runtime/-/blob/master/resources/imap/gmailpasswordrequester.cpp#0016">https://invent.kde.org/pim/kdepim-runtime/-/blob/master/resources/imap/gmailpasswordrequester.cpp#0016</a></div><div><br></div><div>-- </div><div>Nicolas</div></body></html>