Welcome to the CSC Q&A, on our server named in honor of Ada Lovelace. Write great code! Get help and give help!
It is our choices... that show what we truly are, far more than our abilities.


+12 votes

Is there a good way people can think of to include api keys or other sensitive information in a codebase and not have GitHub add just the key? It would be nice if it could obscure 1 line of code, but I don't think such a method exists. My closest idea would be to have your code read your API key from a file, and then ignore that file in your code, and if the user runs it without the api key file it generates one or reminds them to create a file.

asked in CSC490_Spring202021 by (1 point)

I have used the file method. Its probably the best method of obscuring api keys.

3 Answers

+3 votes
Best answer

I agree with your approach of storing in file and then ignoring the file. Another idea which could be outside the scope of this class but you can have github inject the encrypted api key during run time of the code when it's deployed using Jenkins. That would be if you planning on publishing the code in production and having users. Jenkins is what many companies use to eject their credentials into github code.

answered by (1 point)
selected by
+1 vote
answered by (508 points)
+1 vote

For instructions on how to do the separate file and .gitignore approach for React, see:


answered by (508 points)

"Unfortunately, keeping any key in your React client, even if you are using gitignore and an .env file, is not secure. As pointed out by @ClaudiuCreanga, React environment variables are embedded in the build and are publicly accessible." -Antonia Blair, StackOverFlow