Prevent the risk of revealing your LinkedIn API key within HTML code

For my website, I am looking to incorporate the Sign In With LinkedIn feature for user logins. The initial example snippet provided in the LinkedIn API docs is as follows:

<script type="text/javascript" src="//platform.linkedin.com/in.js">
    api_key: YOUR_API_KEY_HERE
    authorize: true
    onLoad: onLinkedInLoad
</script>

<script type="text/javascript">

    // Setting up an event listener for making API calls post authentication
    function onLinkedInLoad() {
        IN.Event.on(IN, "auth", getProfileData);
    }

    // Handling successful API call responses
    function onSuccess(data) {
        console.log(data);
    }

    // Handling error responses from API calls
    function onError(error) {
        console.log(error);
    }

    // Using the API wrapper to request basic profile data of the member
    function getProfileData() {
        IN.API.Raw("/people/~").result(onSuccess).error(onError);
    }

</script>

I'm concerned about exposing MY_API_KEY_HERE publicly. Are there any secure ways to implement this? Although there are npm packages available for handling this scenario, most of them are outdated and haven't been updated in quite some time.

My application is built using node and express. Should I opt for one of the older npm packages or is there a more effective way to protect the api_key?

javascriptnode.jsexpressoauth-2.0linkedin-api

Answer №1

Having YOUR_API_KEY_HERE in your javascript or website is acceptable and sometimes necessary, but be sure not to share your SECRET_KEY as both are required to interact with the API. Always prioritize using HTTPS for secure communication.

For more information on security best practices, check out LinkedIn's official guidelines at:

Understanding API Key & Secret Key:

When utilizing LinkedIn APIs, you will need two specific pieces of information - the API Key (also known as Consumer Key) and the Secret Key (or Consumer Secret).

Your API Key serves as a public identifier for your application, while the Secret Key must remain confidential and only used for authenticating your application on LinkedIn APIs.

Since both keys are necessary for confirming your application's identity, it is crucial to safeguard your Secret Key. Below are suggestions for securely storing your Secret Key:

Avoid storing it locally on mobile devices when creating native mobile applications.

Avoid exposing it in client-side code files like JavaScript or HTML.

Avoid storing it in files on web servers that can be accessed externally, such as configuration or include files.

Avoid including it in log files or error messages.

Avoid sharing it through email or posting it publicly on forums or message boards.

Remember that when exchanging an OAuth 2.0 authorization code for an access token, the Secret Key is transmitted as part of the request. Never disclose this request publicly!

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Can you develop with React using JSX without relying on a node server and instead utilizing create-react-app?

I find myself in a difficult situation - I am relatively new to React and I proposed to convert a project from pure JavaScript to ReactJS at my workplace. The catch is that I can't use a node server for this project. So far, I have been coding React w ...

node.jsreactjsjsxcreate-react-app

Playing around with TypeScript + lambda expressions + lambda tiers (AWS)

Having trouble importing modules for jest tests in a setup involving lambdas, lambda layers, and tests. Here is the file structure: backend/ ├─ jest.config.js ├─ package.json ├─ babel.config.js ├─ layers/ │ ├─ tsconfig.json │ ├ ...

node.jstypescriptamazon-web-servicesaws-lambdajestjs

Node.js TCP punching holes

I'm currently attempting to establish a TCP connection between two devices behind separate NATs using node.js. One obstacle I'm facing is determining how to specify the local port for this connection. Any insights or suggestions would be apprecia ...

node.jstcpiphole-punching

Using NodeJs to Render HTML Templates and Implement Logic on the Server Side

Hello, I am currently working on developing a widget module for my Angular 1 based UI project. This widget is meant to display real-time information. My design involves sending an HTML view to the client from the Node server (potentially using Express.js) ...

javascriptangularjsnode.jsexpressserver-side-rendering

Permitting hyperlinks in Helmets Content Security Policy (CSP

Recently, I've been encountering problems with my CSP header in Helmet. No matter what changes I make, the links always seem to be broken or return an error. How can I go about fixing this issue? Below is my current code: app.use( helmet.conte ...

node.jsexpressdiscordejshelmet.js

Struggling to grasp the concept of an Express server in Node.js

As I was following some online tutorials on setting up a Node server using Express 4, I wanted to simplify my question for better understanding. The main app.js file contains the following code (excluding other middleware lines) var express = require(&ap ...

node.jsexpress

Express routes are causing conflicts with React routes

I currently have the build files for my react application (generated from running npm run build) stored in the /public folder within my backend directory. Here is the content of my index.js file located in my backend: const express = require('express ...

node.jsreactjsexpressreact-router

Creating a drop-down menu that aligns perfectly under the bar in Material-UI: What you need to know

While working with Material-UI, I encountered a problem with my drop-down menu. Every time I click on it, it covers the bar instead of appearing below it (see image links below). https://i.stack.imgur.com/1Y8CL.jpg https://i.stack.imgur.com/emf87.jpg Is ...

javascriptcssreactjsmaterial-ui

Is there a way to view the contents of a file uploaded from <input type="file" /> without the need to send it to a server?

Having trouble uploading a JSON file from my local disk to Chrome storage. Whenever I use the <input type="file"> tag and useRef on the current value, it only returns the filename prefixed with 'C:\fakepath...' ImportExport Component: ...

javascriptreactjsformsdomgoogle-chrome-extension

`I'm encountering issues when trying to pass an array through localStorage into a new array`

This is a complex and detailed question that I am struggling to find a solution for. Despite using deprecated mysql due to hosting limitations, the problem lies elsewhere. Part 1 involves dataLoader.php, which queries the database and retrieves posx and p ...

javascriptphparraysgoogle-mapslocal-storage

What is the best way to set conditions for document side script?

I'm struggling to disable the horizontal scroll when the viewport width is 480px or less. The script that controls the scroll behavior on my website looks like this: <script> $(function () { $("#wrapper").wrapInner("< ...

javascriptjqueryhtmlcss

"Optimizing the Placement of jPlayer for Your Website

Struggling to properly position jPlayer on my webpage. After consulting jPlayer's documentation, I learned that it is supposed to be absolutely positioned by default. However, it seems to be flowing with the rest of the page content rather than being ...

javascriptjqueryhtmljplayer

Even after trying to hide the legend in a Radar Chart using the configuration option `legend: {display: false}` in chart.js, the legend

Having trouble removing legend from Radar Chart in chart.js even when using legend: {display : false}. The code is being utilized and then displayed with HTML/JS. Here is the provided code snippet: var options5 = { type: 'radar', data: { ...

javascriptchart.js

When attempting to send JSON data from an AJAX request to an Express server, a CORS preflight error is

This query has been repeated countless times. I have extensively gone through the Mozilla documentation and sifted through numerous responses until my eyes started hurting. Within my AJAX call, this is what I have: $.ajax({ type: 'POST', ...

ajaxexpress

My Gatsby website is being rendered in its HTML form on Netlify

The website build is located at . It appears that the javascript functionality is not working, and only the html version (usually meant for search engines) is being displayed. It seems like this issue is only affecting the home page. You can check out the ...

javascriptreactjsgatsbynetlify

What is the best way to prevent images from being loaded with broken links?

Currently, I am working on a new feature that involves rendering images from servers. In the process of aligning these images, I noticed an excessive amount of white space due to loading images with broken links. https://i.stack.imgur.com/jO8BR.png Here ...

javascripthtmlangular

Ensure that the assistant stays beneath the cursor while moving it

I am currently working on creating a functionality similar to the 'Sortable Widget', but due to some constraints, I cannot use the premade widget. Instead, I am trying to replicate its features using draggable and droppable elements: $(".Element ...

javascriptjqueryhtmlcssjquery-ui

NPM Error: Module 'balanced-match' Not Found

After updating the node and npm using nvm, I encountered an error when starting the node server. Despite trying various solutions suggested in stack overflow, none seemed to work for me. Below are the steps I tried: 1. Removed node modules and installed t ...

node.jsnpm

Is it possible to run Node and Apache on the same port concurrently?

Currently, I have an application running on Node.js and PHP. I am using different ports for each. Is it possible to run both Node and Apache on the same port 8080? Is there any method to run multiple applications on port 8080 simultaneously? Thank you. ...

phpnode.jsapache

Exploring the Connection Between Express.js and CORS

I developed a frontend using react.js and an API server using express.js. To handle CORS, I utilized the cors package as shown below: var passport = require("passport"); const express = require('express'); const cors = require('cor ...

node.jsexpresscorsbackend