--Apple-Mail-96F9B27F-7DAC-444D-9A9E-D2F3FC076CE7
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable


> El 18 ene. 2021, a la(s) 08:22, Jean-Baptiste Mardelle <jb@kdenlive.org> e=
scribi=C3=B3:
>=20
> =EF=BB=BFHi all,
>=20
> For Kdenlive, we are planning to expand the use of online services to down=
load=20
> ambiance music or videos for use in personal projects. To this purpose, mo=
st=20
> online services provide us an API key that is used to identify our app=20
> (Kdenlive) when querying their API.
>=20
> Does anyone have experience / advice on how to protect these API keys so t=
hat=20
> they are not publicly available ? Is there any KDE online service or frame=
work=20
> helping to achieve that ?
>=20
> Thanks in advance for your help,
>=20
> Jean-Baptiste Mardelle

Protecting an API key on a locally-running application is impossible even fo=
r a closed source app. It's equivalent to the impossible task DRM intends to=
 achieve (hiding the content decryption key from the user while decrypting c=
ontent on their computer). If you give the application to the user, as oppos=
ed to running everything in a server, the key *will* be publicly available.

https://invent.kde.org/pim/kdepim-runtime/-/blob/master/resources/imap/gmail=
passwordrequester.cpp#0016

--=20
Nicolas=

--Apple-Mail-96F9B27F-7DAC-444D-9A9E-D2F3FC076CE7
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div dir=3D"ltr"><br></div><div dir=3D"ltr"=
><blockquote type=3D"cite">El 18 ene. 2021, a la(s) 08:22, Jean-Baptiste Mar=
delle &lt;jb@kdenlive.org&gt; escribi=C3=B3:<br><br></blockquote></div><bloc=
kquote type=3D"cite"><div dir=3D"ltr">=EF=BB=BF<span>Hi all,</span><br><span=
></span><br><span>For Kdenlive, we are planning to expand the use of online s=
ervices to download </span><br><span>ambiance music or videos for use in per=
sonal projects. To this purpose, most </span><br><span>online services provi=
de us an API key that is used to identify our app </span><br><span>(Kdenlive=
) when querying their API.</span><br><span></span><br><span>Does anyone have=
 experience / advice on how to protect these API keys so that </span><br><sp=
an>they are not publicly available ? Is there any KDE online service or fram=
ework </span><br><span>helping to achieve that ?</span><br><span></span><br>=
<span>Thanks in advance for your help,</span><br><span></span><br><span>Jean=
-Baptiste Mardelle</span><br></div></blockquote><br><div>Protecting an API k=
ey on a locally-running application is impossible even for a closed source a=
pp. It's equivalent to the impossible task DRM intends to achieve (hiding th=
e content decryption key from the user while decrypting content on their com=
puter). If you give the application to the user, as opposed to running every=
thing in a server, the key *will* be publicly available.</div><div><br></div=
><div><a href=3D"https://invent.kde.org/pim/kdepim-runtime/-/blob/master/res=
ources/imap/gmailpasswordrequester.cpp#0016">https://invent.kde.org/pim/kdep=
im-runtime/-/blob/master/resources/imap/gmailpasswordrequester.cpp#0016</a><=
/div><div><br></div><div>--&nbsp;</div><div>Nicolas</div></body></html>=

--Apple-Mail-96F9B27F-7DAC-444D-9A9E-D2F3FC076CE7--