Open endersonmaia opened 7 months ago
brunomenezes
commented
7 months ago That is interesting. @endersonmaia for that you are trying to cover what exactly? Sunodo/Dapp deployment?
Because, when I joined the explorer (staking) I was perplexed to have these keys available, even though it looked like "usual" in the space. But from where I come from (Banking) that would never happen.
endersonmaia
commented
7 months ago That is interesting. @endersonmaia for that you are trying to cover what exactly? Sunodo/Dapp deployment?
Acctualy, I'm just worried about leaking the API Keys on the frontend code. I'm not that savvy on front-end stuff, but in the backend, this is not public available and we can even use some kind of secrets management. AFAIK, if the API Key is part of the front-end code it will be available on the client side (web browser) right? So JWT Token would be a way to solve this.
brunomenezes
commented
7 months ago Acctualy, I'm just worried about leaking the API Keys on the frontend code. I'm not that savvy on front-end stuff, but in the backend, this is not public available and we can even use some kind of secrets management. AFAIK, if the API Key is part of the front-end code it will be available on the client side (web browser) right? So JWT Token would be a way to solve this.
Correct. The key will be visible during the calls; just check the network tab, and you can see it. Depending on the strategy, a short—or long-lived token would solve that.
So that we don't expose the Alchemy API Token that will be used by the front-end code, we should use JWT Authentication.
We're gonna need to generate and store the key pair safely, and make the process of importing the public key into Alchemy account and the Application API Token.
https://docs.alchemy.com/docs/how-to-use-jwts-for-api-requests