Skip to content
loading...
markdown guide
 

I'm not sure there's a way, I could just setup a proxy or a network logger on my computer and see where your app connects to.

Why do you need to hide the endpoints?

A possible solution is to proxy your endpoints through a server

client ---> reverse proxy ---> real server 1 (real server 2)...
 

Let's say I'm using an API from UNSPLASH. They give me two keys. I use a "dotenv" file to store these as environment variables. Even If I make a build of it, that .env file will be in my app folder and hence that will be exposed to users.

 

You can't ship the env file to the users, you must, for example, have a server that'd act as a proxy.

So I have to make a server where the code for Unsplash API will work and set env variables there?

But what if it's an open source product and there is no way to monetize it. What then? 🤔

I think your best bet is to have a server. Your app calls this server and the server calls Unsplash and other APIs and returns the data.

But what if it's an open source product and there is no way to monetize it. What then?

Open source does not mean you can't possibly monetize it but let'say you really can't because of something. Can you work within a free tier of some service? Things like Google Cloud, zeit, heroku have good free tiers.

You might even be able to do everything within the context of a serverless backend, writing just a thin layer.

It depends on what you're trying to do.

Free tier can be great option.

You might even be able to do everything within the context of a serverless backend, writing just a thin layer.

Elaborate?

I meant that if the only thing you require is to call an API and get back the result you might not need to build an entire server side application, it might be enough to call a serverless function and let it do it for you.

For example, in this post @didil explains how you might go about writing an API to resize images. In his case he's using a Go library that processes the image but if he wanted (just for our sake) to call Cloudinary's service instead, he would call that, leaving Cloudinary's keys on the server.

Zero servers manually configured.

There's a lot of content here:

Then either you provide an unsplash proxy for free, you provide the unsplash proxy sourcecode/binary for anyone to host (and provide a way to configure the proxy target in your software), or you don't provide unsplash at all.

Another option would be to build it such that you request the end user to create an Unsplash API key, configure it in your application and use that instead.

That's right, this will work if the user has an Unsplash account which may be they don't. Thanks for suggesting though.

 

Think about video games and how well DRM has worked preventing users seeing the insides of shipped games.

You could obscure your code and endpoints but nothing you ever give to your clients will be truly "hidden" from them.

The more you obscure, the more of a fun challenge you'll give to a reverse engineer!

 

If the client have it, it's dead.

If you need to hide your endpoints, you can't give anything to the client at all.

 
 

One way is to install api gateways and allow it to act as a middle man to proxy your API services. You can look at Kong API gateways to help you in that. Hope it helps

Classic DEV Post from Nov 21 '19

What are your favourite Alfred workflows?

Alfred is such a great tool if you use a Mac....

Sarthak Sharma profile image
JavaScript Nerd👨🏻‍💻| Philosopher🧘🏻‍♂️ | Life Hacker🔧 | Health enthusiast🏋🏻‍♂️