Skip to content

re: Is it safe to use Google APIs from Client-Side Javascript 🤔 ❓ VIEW POST


This is a common problem with client applications. The same problem also affects mobile apps. Consider API keys and other secrets not to be secret anymore when you decide to bundle them with your client apps. See also:

However, when you set up Google Drive API credentials for the first time Google guides you through a small questionnaire and also asks you how and from where you want to access their APIs:

Screenshot of Google API credentials setup wizard

One of those options is "Web browser (JavaScript)". When you select that option the only credential you are offered is the client ID, which is not a secret. It's basically just a unique identifier for your application. You can safely embed that in your JS code. Nothing to worry about.

Have you tried that instead? Does it work in your case?

Other than that, just in principle when you're dealing with 3rd party API keys and secrets, your best bet is to run your own web server and web API, and let that talk to 3rd party APIs on behalf of your client app.

That way you don't expose your secrets. However, it's up to you to implement your own auth schemes in order to limit and guard access to your own web API.

In case of Google Drive access, you're basically asking your end users to trust your app with their confidential documents. Here it's a bit more reassuring to let your client app do the talking directly with Google's API, and not through your service as a man in the middle.

code of conduct - report abuse