Download zip URL exposing API key

Comments

4 comments

  • Avatar
    Raz Ziv

    Hi,

    You shouldn't be concerned about the API Key being exposed to the client.
    What should never be exposed is the API Secret.

    All clients that use client-side uploads have to expose their API Key anyway. This is a very common scenario and is perfectly fine. 

    Without the API Secret, you cannot generate relevant signatures or make any requests to the Admin API.

    In addition, client-side uploads aren't possible by only providing the API Key, upload preset is necessary in that case or signature. 
    If you do not allow unsigned upload presets, every upload request have to be uniquely signed by the server side using the API Secret.

    As you can see, there aren't any security issues with exposing your API Key, especially if you do not use unsigned uploads.

    I hope this helps. If still in doubt or concerned, please let me know what you are mainly concerned about.

    0
    Comment actions Permalink
  • Avatar
    Scott Vandehey

    Is this documented anywhere? I'm trying to find a definitive link to reassure my team that it's okay to leave the public API key in our code repo, and I've found plenty of community posts or non-cloudinary discussions saying as much, but I can't find anything in the official documentation.

    This is the closest I've found, since Raz Ziv has the "agent" tag, which I assume means he's an actual Cloudinary rep.

    0
    Comment actions Permalink
  • Avatar
    Roee Ben Ari

    Hi Scott, 

    Raz is indeed a Cloudinary representative :)

    While there isn't anything clearly mentioned in our docs (I'll make sure to open a ticket to our docs team to correct that), I can re-confirm that there's no harm in exposing the API Key in your public code.
    For extra reassurance, what I did find in the docs, for example, is that the API Key is a required parameter in our client-side Media Library widget - https://cloudinary.com/documentation/media_library_widget#3_set_the_configuration_options.

    I hope that helps. 

    0
    Comment actions Permalink
  • Avatar
    Scott Vandehey

    That's very helpful, thank you!

    0
    Comment actions Permalink

Please sign in to leave a comment.