#Is putting an API key into a gdscript file safe?

Are there ways of protecting or at least obfuscating an API key in my game? Afaik gdscript is saved as plain text so I’m scared about how safe this is for published games.

It's never truly safe. Even if you manage to obfuscate it to the point that it can't be found within your project, it's trivially easy to just look at the traffic going out of your computer and see it that way

I'm not an expert but what I first think to do is send a packet to a server which then sends something to the API. This way the API key is safe & you can limit the data going through to it.

You shouldn't be able to see the API key if it's encrypted with HTTPS (regardless of whether it's part of the header or part of the URL)

As long as you set up the SSL stuff right

I suppose that's true. Unless you're making a web build, which will just show it very conveniently in the dev tools

Regardless though, if you're including an API key in a game you distribute, you should assume someone can find it

Yep Nisovin is right that no matter what the key will be accessible by someone with basic know-how if it is included in the game. If you need to have your game call out to some kind of API without leaking your key, you'd need to stand up some kind of server of your own to handle the requests for your users after you validate that they own a valid copy of the game (could use something like Steamworks for that part) and pass that onto the API instead, and the key would live safe on your server.

It's trivially easy to break SSL (and anything) when Alice and Eve are the same person