Hiding api keys from client

i am creating a web application using django (python) and am also using the moralis sdk as a script on the front end. however, I realised that the front end code is visible to my users - thus exposing my serverUrl and my appId. Is there any way I can hide these from the client to prevent any security issues?

one example I can think of is users using my serverUrl and appId to overwhelm my server with requests and maybe even hit the limit.



so does this mean that exposing the appId and serverUrl in our application is ok as long as we have the right security configurations?

also, is there anywhere I can view how many requests I have used up so far and how many i have remaining?

yess :raised_hands: just make sure your classes have the right permissions, the only thing that is sensitive is the master key which you need to keep for yourself no matter what cost!

And for viewing how many request made not entirely sure with this, maybe @cryptokid or @kresimir have any input?

thanks yoseph! Iโ€™m actually not using the database / cloud functions, Iโ€™m only using the authenticate and Web3API (getNFTsForContract), so I do not need to use the master key - correct me if Iโ€™m wrong?

yeahhh thatโ€™s cool you donโ€™t need them :raised_hands: mostly yeah master key is for cloud functions and in case you have custom nodeJS server

Hi @rahulsw, yes, you can view your total requests usage in your account, by going to Account Settings -> Payment -> usage

1 Like

Even though you donโ€™t need to use the master key, you still need to pay attention to what was said about security. You need to lock your application before going public, otherwise anyone with your ID will be able to change your database.

1 Like

Hi, How do you block the application to avoid abuse by those who read the url and id?

Not sure, I am still in the development stage. But you should read the documentation at https://docs.moralis.io/moralis-server/database/security. All the best!