Home > Back-end >  How does one secure api keys on sveltekit 1.0
How does one secure api keys on sveltekit 1.0

Time:01-27

I am using ghost, i made an integration and i would like to hide the api key from the front-end. I do not believe i can set restrictions on the ghost cms (that would also work). And i do believe so page.js files are run on the browser also, so im a little confused on how to achieve this?

CodePudding user response:

You don't need to hide the key.

Ghost Content API Docs:

These keys are safe for use in browsers and other insecure environments, as they only ever provide access to public data.

CodePudding user response:

The interal sveltekit module $env/static/private (docs) is how you use secure API keys. Sveltekit will not allow you to import this module into client code so it provides an extra layer of safety. Vite automatically loads your enviroment variables from .env files and process.env on build and injects your key into your server side bundle.

import { API_KEY } from '$env/static/private';
// Use your secret

Sveltekit has 4 modules for accessing enviroment variables

  • $env/static/private (covered)
  • $env/static/public accessiable by server and client and injected at build (docs)
  • $env/dynamic/private provided by your runtime adapter; only includes variables with that do not start with the your public prefix which defaults to PUBLIC_ and can only be imported by server files (docs)
  • $env/dynamic/public provided by your runtime adapter; only includes variables with that do start with the your public prefix which defaults to PUBLIC_ (docs)
  • Related