Download zip URL exposing API key
Hi all, is there a way to generate zip file and download link (via API) to public users without exposing the API key?
Ive been exploring my options for providing public users links to download images as zip files, and I currently see two options:
- create_zip method - downside is that it generates and stores a zip file in your cloudinary account whenever someone requests a download, which is not ideal for storage space
- download_zip_url method - this one doesnt seem to store the zip file in your cloudinary account, which is good. however, the url does contain the API key.
Is there an approach that would basically give us #2 without bleeding the API key to the client side?
-
Hi,
You shouldn't be concerned about the API Key being exposed to the client.
What should never be exposed is the API Secret.All clients that use client-side uploads have to expose their API Key anyway. This is a very common scenario and is perfectly fine.
Without the API Secret, you cannot generate relevant signatures or make any requests to the Admin API.
In addition, client-side uploads aren't possible by only providing the API Key, upload preset is necessary in that case or signature.
If you do not allow unsigned upload presets, every upload request have to be uniquely signed by the server side using the API Secret.As you can see, there aren't any security issues with exposing your API Key, especially if you do not use unsigned uploads.
I hope this helps. If still in doubt or concerned, please let me know what you are mainly concerned about.
0 -
Is this documented anywhere? I'm trying to find a definitive link to reassure my team that it's okay to leave the public API key in our code repo, and I've found plenty of community posts or non-cloudinary discussions saying as much, but I can't find anything in the official documentation.
This is the closest I've found, since Raz Ziv has the "agent" tag, which I assume means he's an actual Cloudinary rep.0 -
Hi Scott,
Raz is indeed a Cloudinary representative :)
While there isn't anything clearly mentioned in our docs (I'll make sure to open a ticket to our docs team to correct that), I can re-confirm that there's no harm in exposing the API Key in your public code.
For extra reassurance, what I did find in the docs, for example, is that the API Key is a required parameter in our client-side Media Library widget - https://cloudinary.com/documentation/media_library_widget#3_set_the_configuration_options.
I hope that helps.0 -
That's very helpful, thank you!
0
Post is closed for comments.
Comments
4 comments