OpenLive-Web - How to hide API key: appId

[dentesting]

Hi guys,

As per Agora instructions we must hide appID. In the code below, it uses .env file:

https://github.com/AgoraIO/Basic-Video-Broadcasting/blob/master/OpenLive-Web/src/rtc-client.js#L3

I'm not entirely sure that it is secure enough, I can still see it in the source code:

`/ harmony import / var eventsWEBPACK_IMPORTED_MODULE1default = /#PURE/webpack_require.n(eventsWEBPACK_IMPORTED_MODULE_1);

const appID = "XXXX"; console.log('agora sdk version: ' + agora_rtc_sdkWEBPACK_IMPORTED_MODULE0default.a.VERSION + ' compatible: ' + agora_rtc_sdkWEBPACK_IMPORTED_MODULE0default.a.checkSystemRequirements());`

or in production mode: t._client.init("XXXX",(function()

Token or a channel is secure, as generated on the server, but appID still exposed to the client and can be abused.

Is there a way to hide appID?

Thanks.

[plutoless]

hi @dentesting , if you have turned on token then it's OK to not hide appID. because others will not be able to join your channel with appID only. However if you have not yet turned on token then you are suggested to hide it, e.g. to obtain from your own server w/o storing it in your source file. However this is still not secure, appID only approach is anyway not that secure way.

[denisoftus]

Hi, Well in this case, (I have turned on the token) its good, I'll use it like that. Just to confirm there is 100% no security risk having appID in React source code, which is always visible to the browser, when token is enabled?

Also, when you say obtain it from your own server, did you mean, appID, if so, how? Do you have code examples? I believe appId can only be assigned in Agora Console?

Thanks.

[plutoless]

if you have turn on token then appID can exist in source code yes. For obtain from your own server i mean copy and paste and store it on your server source code, then response when client requests you. Token is similar but obviously more secure

[dentesting]

Ok, thanks.