0

What is the best practice for accessing a private apiKey in a nextjs component?

I have a component that needs to take an apiKey as a prop:

<Component
    apiKey={apiKey}
/>

Currently I am keeping that apiKey in an env.local file without the NEXT_PUBLIC_* prefix.

In env.local

API_KEY="abcdefghijk"

I'm trying to figure out the best way to get the apiKey in my component without exposing it to the client. The only way I've managed to get it working is by creating an api route which will grab the apiKey on the server side and return it as a response.

In route.ts

export async function GET(request: Request) {
  return Response.json({ apiKey: process.env.API_KEY })
}

Back in my Component

const [apiKey, setApiKey] = useState("")

useEffect(() => {
  fetch("/api/MyRoute").then(async (response) => { 
       const data = await response.json();
       setApiKey(data["apiKey"])
    });
  }, []);

This doesn't feel like the right way to do this to me at all, any suggestions on a better practice?

Improve this question
1
  • If you do it in the client it will be public anyway! What are you using this for? Commented Sep 12, 2024 at 19:12

1 Answer 1

Reset to default
0

If you call your apiKey inside a server component, it will run entirely on the server and can safely access environment variables without exposing your apiKey to the client.

// app/page.js
import { Component } from './Component'

export default async function Page() {
  const apiKey = process.env.API_KEY
  
  return (
    <Component apiKey={apiKey} />
  )
}

And also instead of passing the API key to the client at all, you could create API routes that perform the necessary operations server-side:

export default async function handler(req, res) {
  const apiKey = process.env.API_KEY
  // Use the apiKey to perform the operation
  res.status(200).json({ result })
}

So simply if you can perform all operations that require the API key on the server, that's generally the safest approach.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Yeah ideally I would do this, but my problem is the component I'm using is a complex custom component from a third party. So that component is the one taking the apiKey as the prop and then using the apiKey to do operations on the server-side. The whole reason I'm using the third party component is to avoid the hassle of having to build it myself.
Maybe you can try to use API Route Proxy, instead of returning the API key directly, create an API route that acts as a proxy for the third-party component's operations. I am still not sure if its the exact solution for it tho but also you can check for the docs of the third party to customize how it retrieves the apiKey and safety recommendations.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.