I am keen to understand how I can protect my mandrill key

[landed1]

This wrapper doesn't at second glance look like it protects the users key and so the emailer can be used by someone else. Or am i missing something. But it looks cool thanks.

[akhoury]

that's running server side, NO user will have access to read the key.

at this point, using the mandrill key is like using a database password. If your server is comprised, you have a bigger problem.

[jimrubenstein]

I didn't design this library to be used in the browser; my original intent was to enable simple interaction with the mandrill api via node.js.

I'm not aware of any way to access the mandrill API via the browser without exposing your credentials to your user.

The only thing I can think to suggest right now is setting up a service on your own server to proxy the request in order to validate it and add your mandrill credentials, before passing it on to mandrill.

[welldrake]

I used the following work around for a contact us form. It assumes that you only want to send emails to a single email address, say contact@example.com for example.

1. Create a new API key at Settings > SMTP & API Info
2. Edit the API key so that Only Allow This Key To Use Certain API Calls is ticked and then only Send is ticked - this will stop anyone from using your keys to query any other data about your account
3. Give the API Key a name like Contact Us and save the edits
4. Add a new rule at Outbound > Rules with the following options:
   • if a message is sent and all of the following conditions are met:
   • recipient's email > does not match > contact@example.com
   • api key > is > Contact Us
   • then do this:
   • reject message
5. Press submit and then do some testing

If my understanding is correct, the worst a malicious user could do with this is spam your contact email address from your mandrill account. But if they know your email address they can do that anyway.