--nextPart1779833.tdWV9SEqCh
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"

On Montag, 18. Januar 2021 12:21:30 CET Jean-Baptiste Mardelle wrote:
> Hi all,
> 
> For Kdenlive, we are planning to expand the use of online services to
> download ambiance music or videos for use in personal projects. To this
> purpose, most online services provide us an API key that is used to
> identify our app (Kdenlive) when querying their API.
> 
> Does anyone have experience / advice on how to protect these API keys so
> that they are not publicly available ? Is there any KDE online service or
> framework helping to achieve that ?

We have a similar problem in KPublicTransport. As others said, I don't think 
keeping API keys secret is possible, they need to be handed out to the user 
eventually after all. This already doesn't really work for closed-source 
applications, and open source certainly doesn't make that any easier.

Terms of services requiring protection of API keys are IMHO therefore mostly 
wishful thinking. I have talked to the providers of two of the backends we use 
in KPublicTransport about this, they understand the problem and are ok with 
having the API keys in public source code. That might be the more realistic 
approach.

Regards,
Volker
--nextPart1779833.tdWV9SEqCh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQQAnu3FVHA48KjZ07R/lszWTRLSRwUCYAW1TwAKCRB/lszWTRLS
R6nBAJ98mD7n5mP11ygYzDRQ6rmR4hOA/ACgpn2dxwYoHZeiwlDVUn52fKhn46g=
=zDaC
-----END PGP SIGNATURE-----

--nextPart1779833.tdWV9SEqCh--