How to let my shiny app users use my API key without showing it?

[KPdir]

I'm hoping to use the google distance matrix API in my shiny app. It requires API key identification (Not O-auth 2). The queries look something like this:

https://maps.googleapis.com/maps/api/distancematrix/xml?origins=Vancouver+BC&destinations=San+Francisco&mode=bicycling&key=YOUR_API_KEY

• I would like to let users of my shiny app to use the app with my personal API KEY
• How and where can I store my API KEY so that it can be accessed by my shiny app running on the shinyapps.io server.
• How can I store it securely and only make it available to the program (shiny app hosted on shiny server) and not the users?

-- I read through the documentation on the https://developers.google.com/console/help/new/#generatingdevkeys page and did not get sufficient clarity. -- I also checked out Jenny's googlesheets package. However that seems to use a different form of authentication.

Does anyone have experience with this or ideas ?

[jennybc]

It seems like you could put it in the code of your Shiny app. Either in one of the app files or perhaps in a startup file, .Rprofile or .Renviron (better since you could still share app code somewhere but gitignore this file). I don't see how a user could access the key. There's not some feature like "see the underlying code" is there? I do think this is pretty insecure, so would never do w/ a key that would allow someone to, say, spend my money! But that doesn't seem to be the case here.

[KPdir]

I was not sure if putting the key in .Rprofile or .Renviron and then gitingoring it would communicate the key to the shiny app server. If that works that's wonderful. Will give it a shot.

Also, as you mention its not a big worry to loose the key in this case since I have not enabled billing :)

Thanks a lot!

[daattali]

shinyapps.io is completely independent of git, it doesn't care what's in your .gitignore file. Putting your Rprofile in a gitignore only means that when you push your code to git it won't show up in your repo, but when you deploy your app to shinyapps.io it will still have that file. What Jenny suggested is what I'd suggest as well.

If you're not happy with this solution I recommend you ask this question on the official Shiny support forum https://groups.google.com/forum/#!forum/shiny-discuss (first do a quick search there to see if anyone else asked a similar question before)

[jennybc]

@KPdir To be clear, you NEED the key to go to the Shiny app server. But, according to you, you don't want it revealed to your users and perhaps on GitHub. It all depends on how sensitive the key is. For example, the developer of knitr has built-in a key for imgur.com, so that figure uploading "just works" for users. Sure, someone could abuse it. But he's decided that the pros -- USABILITY -- outweigh the cons. Depending on what an API does and how much power the key alone confers, you don't necessarily have to treat the key or client id/secret like top secret info.

[KPdir]

Hi @jennybc and @daattali , thank you both very much for those replies. That makes a lot of sense to me now. Revealing the API key is not really critical in this case since it does not allow any access to my user-specific data with google; its just a key for that API. I just put the keys in .Rprofile and shipped it with everything else to Shinyapps.io server as you suggested and it works perfectly, I had no issues ( my app: findbesttime ).

Thanks a lot! Kedar