Hiding API Keys

Can anyone tell me if it’s necessary to hide API Keys from being visibile in source code, and if so, what the most non-technical way to do that would be?

Hey @howtodothis,

It’s totally fine to have your public API key in your site source. This API key only gives access to a subset of API endpoints and can’t be used to access any private information from your account.

If you need to use a secret API key though, it should never be exposed in your frontend and should only be used in server to server communications. Most of our users will write serverless functions that act as a proxy between their applications and our API.

Thank you for confirming this, Charles.

Any plans to tokenize this? Then the window.Snipcart logic can be on the client.

Later that evening I realized the api-reference can make its own scope and the api in the client (use case) doesn’t require an Authorization header.