#Next.js + Python (Flask) WebSocket Security: API Key Exposure Concern

Hi everyone,

I'm working on Project<X>, a web application that provides nearby beach information. Currently, we've been testing with a simple HTML/JS frontend, but we're planning to migrate to Next.js and Vercel.

Our backend is Flask (running on Docker) with SocketIO for real-time location data in order to calculate nearby distances. My frontend developer raised a concern about API key security in the Next.js implementation.

Specifically, he's saying the API key and backend link would be visible to clients when using Next.js and socketIO.

I'm reaching out to get your expert advice:

• Is this a legitimate concern with Next.js?
• What are the recommended approaches for securing API keys in this architecture?

We want to ensure we're following best practices before moving forward with the implementation.

Looking forward to your insights!

If you use Next.js only for frontend, your api key will be exposed.
As a full stack framework Next.js can be used as BFF.

use Next.js api routes as proxy

so u mean if we will use next js api routes the api, backend links will be managed by server side

exactly

so the request flow will be like
frontend => Next.js api routes => your python backend

make sense, i wanna convince the same thing to my frontend guy, but somehow he disagree, u will join here shortly

@sharp mirage

u can talk now

This what I'm planning to do, but that's not the scenario that @timber fractal wants, here is what he wants, a socket link between the frontend and the python backend and the secret api key is on nextjs route is that even possible ???

lol - a bit difficult to understand your English but

okay so the fact is, i will give u the backend link which is running on docker

and the api key to get data right?

so whats the issue?

in the backend i have something like this

CORS(app, resources={
r"/api/*": {
"origins": [
"http://127.0.0.1:5500",
"http://localhost:5500",
os.getenv('VERCEL_DOMAIN')
],
"supports_credentials": True,
"methods": ["GET", "POST"],
"allow_headers": [
"Content-Type", "Authorization", "X-Requested-With", "Accept", "Origin"
]
}
})

well, @timber fractal @sharp mirage it's not an issue of Next.js

imagine you are just using React.js for your frontned instead of Next.js

is anything different?

i dont think so, what i can provide is the backend link and the api key to get acess, so whats the issue?

if you mean the next.js api routes, then its fine

so what's API_KEY you guys saying?

in order to make request to the backend to get some json data u need an api key

is it something like auth token to protect your python backend?

yea something like that

huh, then it's always visible

okay but for that we are using nect js api rouets right? which means it will be managed by the server

wait wait, is it auth token or API_KEY to use your service

I know it's possible that nextjs become the middle man between the frontend and another backend and will work like a proxy there is no issue with that, but that when using regular api calls (http calls get, post .. etc), but but but can it be the middle man if we are using socket call ???????

accessToken vs API_KEY which one are you referring to?

nope

using a simple API Key authentication mechanism, not OAuth or a more complex token-based authentication system.

it can't be used for web-sockets

Yes that's what I'm trying to tell him

if it's access token that you get after signin - you have to iterate it (meaning your token will be expired in certain amount of time)

and that's what I said, having token public is always fine

just be clear if it's API_KEY or auth token

mmh we didn't implemented signin/sign out yet

cuz i wanna make it accessible for everyone

api key

not oauth

so u make request something liek this for testing

curl -X POST https://e9c4-151-72-206-190.ngrok-free.app/api/set_location
-H "Content-Type: application/json"
-H "Authorization: Bearer 9xy4QtIe1wkeLvkAbkj9y3C2pIg-nU3SHqG1MPPio_J"
-d '{
"latitude": 41.9028,
"longitude": 12.4964,
"accuracy": 100,
"location": "naples"
}'

will you use HTTP request?

not websocket?

so my architecture supports both:

RESTful HTTP endpoints for standard CRUD operations
WebSocket connections for real-time, event-driven communication

i need socket connection to get real time location data to provide accurate data ..

To illustrate, when a user requests information about nearby beaches, they can navigate from one location to another. In response to this request, the backend sends the request to the frontend via a socket connection, allowing the backend to handle the remaining processing tasks.

let's summarize

if you don't have auth in your website, you can't prevent your API_KEY being exposed as long as you use real time connection

eventhough we are using next js api routes to hide api keys?

i might be wrong cuz i dont have that much exp in this field

what if

1. Move API Key to the Backend
   The API key should only reside on the backend, inside a secure environment (like Docker). The frontend communicates with the backend, and the backend then communicates with external services.
   Why: This ensures the key is never exposed to the client-side.
   Example:

Frontend ➡️ Backend ➡️ External Service (with API Key)
Backend acts as a middleman, keeping the API key secure.

well there are 2 problems

then you have to create websocket connection between Next.js api routes and the python server. but Next.js api routes will be deployed as a serverless function that doesn't support long-live connection

let say you deploy your next.js on a server(serverfull not serverless)

but by default your api routes are public

so hitting your api route will create websocket connection, right?

that's why you always need authentication

That were my words which been thrown behind their back 😑

mmh so could be the better solution

cuz at the end i dont wanna add oauth like sign in sign out

wanna make it simple so its accessible

for everyone

like perplexity ai

so hitting your api route will create websocket connection, right?

then are you okay with ⬆️

however even you are okay with above, you have to leave vercel

next.js api routes deployed on Vercel are serverless

websocket doesn't work on it

you may have to move to fly.io or some other services

Yes, based on my existing code and the use of Flask-SocketIO, it's likely that hitting our API route will initiate a WebSocket connection.

Which is a horrible scenario 😅

well my recommendation will be

add some levels to your API_KEY

so for the public access, API_KEY will be only able to use your service 5 times a day or something

and also ADD auth to your system - after login, provide higher API_KEY

for example i have added rate limits, if more than 5 requests per minutes he will get blocked for an hour lets say

so we can't make it secure without user authentication

lol authenticated system is not 100% secure

what can we expect from un-authed system in terms of security??

if i will remove the real time location system, and store the location data on a session file for once , then i might not get any issues?

tough question

@sharp mirage what solution u wanna provide

cuz at the end u are handling it

actually real time data doesn't means websocket

what kind of data do you want to show in the real time?

okay so lets say u asked to our Ai what are some beaches nearby, the backend will send a request to the frontend to get the realtime user coordinates

send back to the backend to proces for the rest

I feel like what you are saying is more close to streaming AI

yes kinda

Replace the socket with regular https request, you assuming it's real-time but it's not, because we are giving the user the data after he request it so why don't we use regular http calls.

Then the full scenario well be like this, the user call a route or a server action in next then next call the python backend secure and simple.

sorry I think I misunderstood your meaning

so what's real time user coordinates?

user geolocation?

It's not it's been delivered to you like that but it's not.

yess

oh, how can he move fast to get different results from the server while server is preparing something for the user

or am I silly to miss something? 🤣

lets say right now u are in ur home to get nearby beaches

once u go there u ask what are some restaurants nearby

in that case we need ur geolocation data

yes?

Lol it's chat website that needs your location data to make some calculation.

yes but it depends on ur position

if u are at home and then moved to some place, if u ask about nearby places, u will not get accurate data

no no my point is that

You simple ask it and it will answers, it will never provide data if you didn't make a request to it, what is the need for socket here ?

why don't you get user's location when they request something?

yes, i did this configuration

but somehoe u guys are saying that api will be visible

so only if u request

well, I think you misunderstood

at the end u will see a small ai model instead of the api

You are mixing the points

yeah mixing two points

they are independant things

okay tell me what i am missing

so let me adjust the flow

ok

user ask your AI bot - "what are the nearest shops?"

frontend hits your next.js api route

you can get his location - you don't need to make another request again to get user location

this step is where you are missing

u got his location by requesting to the frontend?

nope

user ask a question and we obivously send this question to the server (in this case Next.js api route)

right?

yes

request is something from client/browser to the server/api route

so to process the data backend needs geolocation data, right<'

my point is how it will get from

in previous next.js versions, you were able to get gelocation info from request param of the api route

but they moved that stuff recently thinking it's more like vercel feature that they don't normally need

https://vercel.com/guides/geo-ip-headers-geolocation-vercel-functions

check this npm @vercel/functions

so for each request we are making a geolocation request as backend needs right?

yeah, exactly

right now the project is structured like this

@sharp mirage so what i did wrong

I am not sure how this npm works behind but what I can sure is that it's not making a request to the browser like your scenario

so instead of making the request to the browser(client) where it makes request?

am not sure if it's actually making a request - but yeah it must be

maybe to vercel service?

does it matter?

Nooooo

It doesn't matter

??

so whats ur solution, and what u want me to change

okay as I research, this npm doesn't make any request to third parties as long as you deploy your Next.js on Vercel

but if you don't deploy your project on Vercel you are not able to use this api

are there rate limits for this api?

well, what you have to change is to update your python server to get user query and location at once

and preocess send the response

no no totally not usable

you need to use alternative ways to get geolocation data from the http request data

i believe right now its structured like this

The user location will be accessed through the browser, the frontend developer with take this data and put to the request that is going to next route, the route will take the data and make a request to python server with the data, python will respond to next route then the route will deliver the results to the client

Simple as that

you said server is making request to the browser to get user's geolocation

not at all I think

yes cuz i am using socketIO for that

from browser? what if user declines?

they can't access to our platform

The browser has gps in it or not ?

to use our ai chatbot

it asks u to give permission

I mean a gps api

okay that makes sense

The gps is on the device

so here's the point, instead of making request to the browser where should i send the request

you don't need to make any request

u are getting all at once?

browser will be sending the geolocation data with the query at once

okay, what if he moves to another place after an hour, will the geo data be same or different

if he starts a new query, browser will be sending the new geolocation

right now it works like this but uses socket

tell me if i am wrong @sharp mirage

No need for socket

ok instead of socket what to modify

thats where i got stuck

to clarify websocket is when you want to get real time events from the server

here what can be changing by time is user location on the client side

does this make sense to you all?

if something has been changed on the client side, you just make a request to the server again with updated info

but server can't send a request to the browser - that's why we need websockets

exectly

is everything clear now guys?

🙂

yes, but for other cases such as

if u reload the page it will trigger to the backend to take a certain action through an api endpoint

instead of socket how can i handle it

hmm didn't follow you - can you tell me your problem exactly?

do you have any action that gets triggered initially? like when you refresh your page?

yes

not initially but only if u reload the page

it's not related to the websocket I believe

again, websocket is only for this

hit the backend everytime you refresh the page

what's the problem? we have useEffect(() => {}, []);

right?

yes

@timber fractal are you trying to clear the session?

yes,

only the chat history

oh please don't ask to ask

gimme the problem @timber fractal @sharp mirage 😞

it keeps our conv long and long

can we talk?

if possible

just tell me

What if his network connection lost ??

it will not trigger

it will only trigger if u reload while having connection

here in europe i dont think we will have network issues

just tell me the UX feature you want to build/improve

@sharp mirage

do u want me to provide api endpoint details?

thinking following questions are out of the original question and more related to your internal coversation

@timber fractal can you close this thread by marking a solution?

alright

thanks a lot