Safely storing an application's API keys
Nicolás Alvarez
nicolas.alvarez at gmail.com
Mon Jan 18 14:54:37 GMT 2021
> El 18 ene. 2021, a la(s) 08:22, Jean-Baptiste Mardelle <jb at kdenlive.org> escribió:
>
> Hi all,
>
> For Kdenlive, we are planning to expand the use of online services to download
> ambiance music or videos for use in personal projects. To this purpose, most
> online services provide us an API key that is used to identify our app
> (Kdenlive) when querying their API.
>
> Does anyone have experience / advice on how to protect these API keys so that
> they are not publicly available ? Is there any KDE online service or framework
> helping to achieve that ?
>
> Thanks in advance for your help,
>
> Jean-Baptiste Mardelle
Protecting an API key on a locally-running application is impossible even for a closed source app. It's equivalent to the impossible task DRM intends to achieve (hiding the content decryption key from the user while decrypting content on their computer). If you give the application to the user, as opposed to running everything in a server, the key *will* be publicly available.
https://invent.kde.org/pim/kdepim-runtime/-/blob/master/resources/imap/gmailpasswordrequester.cpp#0016
--
Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-devel/attachments/20210118/a29d86ac/attachment.htm>
More information about the kde-devel
mailing list