DEV Community

How To Write Your First HTTP Request to NASA

👩‍💻Tracy A King on August 03, 2019

I’m excited to introduce you to HTTP requests and provide you with tools and resources to get up and running. Learning how to work with APIs is a ...

Read full post

Erebos Manannán • Aug 4 '19 • Edited

This really highlights why you really should avoid giving frontend programs access to your API keys and other such tokens and always route requests via your backend.

You give access to your API keys and other secrets to the frontend and literally anyone can see them.

You should
1) Better block out your API key from your screenshots
2) Remove it from your example code
3) Get NASA to invalidate that one and issue you a new one

Edit: I guess the example codes use some demo key, that's probably fine. The screenshot is still easily readable.

👩‍💻Tracy A King • Aug 4 '19

The credentials have been invalidated as an extra precaution but thank you!

Amazing Dev • Aug 5 '19

This is not an issue if API tokens are restricted by domain.
There is nothing wrong with accessing the API from the frontend on its own. In some cases, it's even better (eg. when you don't want to put too much load on the backend, or you don't need to log metadata about these requests)
However it is true that more information is exposed, thus some thought should be put into how this can be abused, and how to prevent that.

Erebos Manannán • Aug 5 '19

When you say "the API" you probably very specifically mean this API specifically, there's a lot of other APIs that would require you to actually keep your credentials secret, when they e.g. result in billing events. This is why it's a good practice to avoid doing things like this on the frontend.

If your requests are causing too much load on your backend, just think what you're doing to other peoples' backends. Logging etc. is of course configurable, by you.

👩‍💻Tracy A King • Aug 4 '19

Yes!!

Andrew Brown 🇨🇦 • Aug 3 '19

This is really cool. Just having interesting data to work with for BigData or ML purposes is fun, and since I like Star Trek it plays in that theme very well.

Alejandra Quetzalli 🐾 • Aug 3 '19

OMG HOW COOL IS THIS?!?!

Jon Randy 🎖️ • Aug 4 '19

Might want to blur those credentials a bit more

👩‍💻Tracy A King • Aug 4 '19

The credentials have been invalidated as an extra precaution but thank you!

Emma Bostian ✨ • Aug 5 '19

I freaking love NASA! Great job!

👩‍💻Tracy A King • Aug 29 '19

Thank you!!

Rey Navarro • Aug 3 '19

This is so cool! thanks for sharing 🙌🏽🙌🏽

Edison Augusthy • Aug 5 '19

Let me hack NASA now

Lawrence • Aug 4 '19

Unless this is specifically for node, using JS to interact with an API using a private API key exposes it to anyone viewing the page. The proper way would be to use server-side processing.

DemonWolfFang • Jul 19 '20

Hi, this may sound very dumb. I'm using the NASA API for a Bot on Discord, how would I go about using this? I'm having very much troubles with it.

👩‍💻Tracy A King • Sep 4 '20

Oh no! Sorry I am just seeing this 🤦 This isn't dumb at all. What are you trying to do specifically? I haven't worked on bots before but I'm happy to help if there's something I can answer for you!

Erebos Manannán • Aug 4 '19

You really should pixelize those credentials a bit better.

👩‍💻Tracy A King • Aug 4 '19

The credentials have been invalidated as an extra precaution but thank you!

Erebos Manannán • Aug 4 '19

... also your API key is still in the example code.