Store API secret/Access key in playcanvas game


I am building a browser game hosted on Playcanvas that stores game data in local storage and makes frequent post requests to one of my API’s to make that data accessible.

Is there a best practice on how/where to store environment variables such as API keys? We are not looking to place the games behind a login screen.

I of course do not want to expose my API key to the public, but maybe I am approaching this problem from the wrong angle. Does anyone have other ideas on other ways to securely send data to an external API?

Thank you!

Hi @philippo and welcome,

If you aren’t using a login screen or auth wall, then there is no place client side where you can hide those keys. Eventually they can be reverse engineered.

What I’ll do is setup a proxy end point which is responsible of making the API calls. There you can add some custom logic to add some daily limits per user (e.g. Per ip address) to avoid misuse.

Hi, @Leonidas thank you for your quick response.

I will investigate the proxy endpoint! Also, keep the auth wall as a backup.

Do you know of other ways we can handle this? Such as storing the data somewhere else, maybe on Playcanvas? Sorry for my primitive questions. I am a beginner in developing browser games.

If you don’t want the key to be publicly accessible, then unfortunately it can’t be in a PlayCanvas project.

I would also make the proxy endpoint only accept requests from certain URLs to reduce abuse.

1 Like