[Support Guide] How do I keep my API keys/tokens safe using Netlify Functions?

Support Support Guides
, ,
#1

Last reviewed by Netlify Support on December 2022

With Jamstack sites, using API keys/tokens to make API calls to other services is a frequent pattern. In some cases, you may want to hard code the keys in your html, when invoking those API calls - which on a service like Netlify means these keys are now public. Anyone can open their browser dev tools and view them, and of course this can lead to someone abusing this access.

In some cases, this is fine. For instance, some types of Firebase and FaunaDB keys are intended to be public; they have a permissions model where little harm can be done and no data can be exported. However, this is NOT the case for AWS access tokens! You’d definitely not want those details to be public or bad things can happen. There are plenty of horror stories of leaked authentication keys, like this one.

There are several things you can do to keep these keys secure at Netlify. One best practice is to never commit any sensitive keys/tokens to your git repository. If you just need a token during build, you can use our Environment Variables build settings to set a value for a $API_TOKEN environment variable, and reference it during build. Nearly all headless CMS’s use this pattern, for instance - Netlify knows how to access your data from Contentful or Sanity, and pulls it in during build. You may not need the token at browse time, and so it isn’t in your HTML output, and you’re safe! We even have a feature to require review on all PR’s from non-Netlify-team-members in case you do list your sensitive environment variables in our UI.

Using Functions is another great way to keep those keys secure. Here’s a project that I call ‘token hider’ that does just that - makes a request at BROWSE TIME, securely - the value is ONLY known to the function and is NOT in your HTML - and is a great example starting point for anyone wanting to do the same! If you don’t hardcore the function, you’ll want to put the variable in our UI (Deploy & Build settings, in the “Environment Variables” tab), from where it will be deployed with your function(s).

3 Likes
Best Practices for Storing Tokens
Where to store the auth_config.json file in Netlify
Gatsby Netlify and secret keys in gatsby-config.js
Why are my env key not hidden in dev mode?
[Support Guide] Can I run a web server, HTTP listener, and/or database at Netlify?
Hiding API Keys with Netlify Functions in Gatsby
Help securing Fauna database for use with Netlify
Help needed re : usage of environment variable / snippet injection
It's possible to hide an JS?
Environment Variables not working in production
React Route params not working after deployment
Netlify mapped js website doesnt run when deployed and runs when yarn started
Netlify not loading environment variables
My page keeps breaking each time i reload
I deployed my site but it shows blank
Doordash integration
React.JS website not displaying on netlify
Build error due to sensitive data in .gitignore file
How do I include external javascript file?
Is auto clone and deploy to a new sub domain possible?
React CORS error in netlify