Skip to main content
Solved

Public API key best practices

  • 22 July 2021
  • 1 reply
  • 1065 views

Forum|alt.badge.img+5

What is best practice for using Revenuecat Public API keys in Xcode?  

Are they 'public enough' to just use in source files?

Best answer by cody

Hey @TBZ!

Yes, it’s safe to store the public API key in your code. These keys are used to make non-potent changes to subscribers, and it can’t be used to access any sensitive data about your users. We consider a public key to be obtainable by anyone who can decompile your app, so it's not dangerous to have it exposed.

You can see this in action in our sample app here.
 

A secret key, on the other hand, should always be kept secret and should never be exposed (and should never be included in your app’s source files). These types of keys are prefixed with sk_ and can perform any API request without restriction including deleting subscribers, reading attributes, and granting promotional access. If you ever think that you might have exposed a secret key, you should revoke access from our dashboard and generate a new key.

You can read more about revoking secret keys and API keys in general here.

View original
Did this post help you find an answer to your question?

1 reply

cody
RevenueCat Staff
Forum|alt.badge.img+8
  • RevenueCat Staff
  • 492 replies
  • Answer
  • July 22, 2021

Hey @TBZ!

Yes, it’s safe to store the public API key in your code. These keys are used to make non-potent changes to subscribers, and it can’t be used to access any sensitive data about your users. We consider a public key to be obtainable by anyone who can decompile your app, so it's not dangerous to have it exposed.

You can see this in action in our sample app here.
 

A secret key, on the other hand, should always be kept secret and should never be exposed (and should never be included in your app’s source files). These types of keys are prefixed with sk_ and can perform any API request without restriction including deleting subscribers, reading attributes, and granting promotional access. If you ever think that you might have exposed a secret key, you should revoke access from our dashboard and generate a new key.

You can read more about revoking secret keys and API keys in general here.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings