Ask HN: Securing third-party API keys within frontend in 2019
I've only been working with frontend for a few months and one thing that has me stumped is handling third-party secrets required by the app, e.g. access-tokens or API keys required for interaction with MapBox [0] or Sentry [1]. I'm only referring to client-side JS, where to my understanding any bundled secret is effectively compromised, as opposed to server-side rendered websites
While the most secure solution I've come across seems to be about having the frontend communicate with these services via a proxy, e.g., Nginx proxying requests to those services after validating the JWT token Auth0 [2] issues to the frontend client, this solution seems to be poorly supported. For example only Nginx Plus appears to support JWT validation.
Thus I'm truly curious, how do you secure your third-party secrets needed by your frontend in 2019?
[0] https://www.mapbox.com/ [1] https://sentry.io [2] https://auth0.com/
2 comments
[ 33.0 ms ] story [ 190 ms ] threadAs for having to ‘wrap’ third-party services that seems like a cumbersome solution.
I guess one way to go would be to use an API gateway like Kong [0] which supports JWT validation out of the box but performance-wise I always found Nginx to be superior.
[0] https://konghq.com/kong