API Key exposed by OnchainKit provider #749
Comments
|
It also does not appear to be possible to revoke or rotate this API key. |
|
Putting the API key in an .env file will not resolve the issue. Because this a client component, the key will still be exposed in client side code at runtime. |
|
Hey @richardrauser, here a few points around API Key developer experience so far:
Stay tuned for coming up improvements, and thank you for sharing your experience. |
|
@Zizzamia thanks for the explanation. I always question the benefit of services that require public API keys of the nature you describe. Presumably these are used for things like access control, rate limiting, etc (but not for access to sensitive data or functionality), but if a bad actor can so easily rip off some other app's public key to circumvent a key revoke or rate limiting that their own key has become subject to, what's the point? In the worst case, a competing app or business might take another app's key and intentionally induce a key revoke or rate limiting to disrupt their business. |
|
I think, it's important for OnchainKit in the next few months give both options of running API in the frontend or decide to use your own backend proxy APIs. I can keep this Issue open as we ship more things towards supporting both. |
Describe the bug and the steps to reproduce it
Follow the OnchainKit Getting Started guide: https://onchainkit.xyz/getting-started
This necessitates exposing a Coinbase API key in a client component, meaning any users of the web app implementing OnchainKit can access the key.
GitGuardian reports this as a critical security vulnerability.
What's the expected behavior?
OnchainKit does not require an API key to be exposed to end users.
What version of the libraries are you using?
0.23.4
The text was updated successfully, but these errors were encountered: