#API key help

Hello, I would like to make a client side 1.21.6 mod which uses an API that requires an API key. I am able to do that already, but the problem is that I dont want to share the key with the users of my mod. I also dont want to obfuscate the code. Is there any way to do that? I tried to look into some open source mods that have it, but didnt really understand how they do it. I believe they use their own API server as a proxy, but im not sure. Any help is appreciated.

use a .env and add to gitignore

secrets.properties? idk the right naming scheme

Would that actually let the user use the API features in the mod?

No, it's not possible. You need to either ask the users for their key, or use a proxy server.

It's not possible without a proxy because the client needs to send the request. To authorize the request, you need to send the key. To send the key, you need the key. Even if you encrypt it, you need to decrypt in the code. Might prevent scraper bots, but it's still there and easy to reverse engineer.

On the other hand, neruina has (had?) an API key in it that was obfuscated, and I don't think anyone bothered grabbing that.

This works only if the users also have their own .env with a valid key.

yea, thought so

how hard would it be to make the proxy server? atm I think ill just let the key be there and hope nobody is going to bother looking for it

Should be easy peasy to make a proxy. Still doesn't prevent abuse of the key though. You can limit it in scope, which is easy enough. Preventing bad actors from using what's in scope is a whole new story.

If you are gonna leave the key there, at least encrypt it and obfuscate it a bit from easy regex searches. Don't want bots grabbing it.