Login at Kodi Home

**pkscout** · (This post was last modified: 2016-05-11, 23:40 by pkscout.)

I'm updating Artist Slideshow, and in working with the folks at theaudiodb.com, it looks like my API key for that site is being used by someone else (their logs are showing calls using my API key to URLs I don't call in AS). I'm getting a new key so that we can figure out the actual load AS is putting on their servers, but this has gotten me to thinking about how to deal with this. I publish all my code to a free github account, so it's all public and searchable. I've heard of people crawling github looking for keys to use, so the fact that the keys are in the code seems problematic to me now. As I see it, I have a few options:

1- change the name of the variable so that it's not something like api or apikey. (done for the new version of AS, but it only masks the problem by making it harder to crawl for the keys)
2- pay for a github account so I can make all my repos private (but that means others can't see or fork the code, and there's a cost to me then)
3- remove the API keys from the code (but then I have to figure out a way to have AS download the keys after install)

What are others doing to address this?

**sarbes** · 2016-05-11, 22:59

Maybe encode it? Base64? Keeps the dumb people out.

You could also distibute your key via a seperate script and host the rest.

**ronie** · 2016-05-11, 23:00

yeah, it happened to me a few times as well, with one of my weather addons.
i've always wondered why people would 'borrow' an api key when you can simply apply for your own key is most cases.

to protect the key from crawlers, 1 is a good option, combined with some obfuscation of the api key.
for instance, you can put the base64 encoded version of the api key in your code
and handle the decoding in python before making an api call.

i don't see much additional value in 2 or 3. if someone is really after the key, they'll get it one way or another anyway.
all they would have to do is install the addon, read the python code or worst case sniff the network traffic when the addon makes an api call.

**pkscout** · 2016-05-11, 23:39

Thanks for the suggestions. As I said, I changed the variable name (although almost every service has you send the api key with a parameter like 'api_key', so the text is still there). I moved the actual API key to another file and base64 encoded it. Hopefully that'll at least slow down the crawlers some. Anyone reading the code will be able to get the API key in about 2 seconds, but that's fine. I'm not trying to make the key secret, just less public.

**spoyser** · 2016-05-12, 19:25

About a year ago, by mistake I pushed a client's Amazon AWS api key to my public GitHub.

Within 2 days I got an email from Amazon informing me that they had come across the key on a publicly accessible site and had therefore revoked the key.

Pretty impressive if you ask me

Sent from my iPhone