How to securely store users API keys submitted through client



  • I am developing a web application which will require users to provide 3rd party API keys through the client, which will then be used to make requests to the 3rd party API from the backend of my app.

    After researching, I believe the best way, and standard practice, is to store these API keys as plain text in my database.

    However, my question lies in the security of these keys while they are in the process of being sent from the client to the database.

    To further clarify, the 3rd party API keys will be entered by users client-side through a standard HTML form, and upon being submitted, the client will make a post request to my backend, which will in turn store the keys in mongodb.

    Would bad actors be able to access these keys via dev tools or some other malicious means while they are in the process of being sent from the client to the backend?

    If so, what actions can I take in order to secure them further while they are being sent from client to db?



  • An API key is basically a password. The usual protections like transport with TLS (i.e. use HTTPS) should therefore be sufficient.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2