Access Key security when using Javascript

[jiimka]

At the moment, documentation says:

Your API access key is private and should at no time be shown publicly.

Yet, on the same page, there is an example with jQuery where this key is exposed to anyone looking at browser dev tools: $.ajax({ url: 'https://api.ipapi.com/' + ip + '?access_key=' + access_key, ..... } }); I used to work with the previous API version in a similar way, but now it's actually impossible, and in order to hide the access_key, I need to perform api calls from the server side - which is not that good idea, especially, when the website traffic goes high. I understand the idea of monetizing the service - but this part reduces it value to possible users quite significantly. Can't think of a solution right away - but firstly, I wonder if the authors see a problem with it as well.

[ghost]

Although it's not a solution to your problem, I have to do API calls from server side too, but to limit the number of requests, I added a local check to a database to check for the IP address and a stored country code. If it doesn't exist in the database, then it performs the API request, and stores it in the database to use for future use.

The idea here is there's only 1 call to the API, and the subsequent lockups are all done locally to the database.

I've only just implemented it today, but will check the stats at the end of the month to see just how much it's reduced the number of requests. Hopefully it should be quite a lot!