Is this API Key Secured?

Hi all, new to API security and just want to double check that this is properly secured (Image below).

Also, I make sure to remove my initialization values when possible, but of course, I can’t do that for API keys. But, my API keys should be safe if I set them to private when using a url parameter, or when it’s a private key in header situation right?

Also, should I avoid using APIs that get keys from parameters on the front-end and only use them in the backend or is that not necessary?

One last thing, which is more specific. I have a cloudconvert API call that is set up with API keys, however, the webhook for receiving the converted file is public. How do I go about this? There has to be some sort of security measure I can put in place to make sure the webhook is a legitimate one right? All I can think of is to check if the CloudConvert job date >= current date - 5 mins. Any other suggestions?

Thanks! :slight_smile:

No. If it’s in the URL it’s not secure. It needs to be inside your header.

This is more secure in header, however, the call will be made on server side if there’s a parameters set (private or not, shared or not). Same for headers.
So what you need to avoid is to have something like: https://www.api.call.com?api_token=123456789 because this could be made on client side if you check the attemp to make the call from the browser checkbox. But if you do api_token=[api_token], this option to make the call from the browser should disappear because the call will be made server side. However, one of your user could inspect request if this is public (uncheck private checkbox), making the key unsecure.

So if I am understanding you correctly, that would mean that currently, my API token is properly protected right?

I dived deeply into the network tab of developer tools, and could not find it anywhere. I could only see the API response, which doesn’t hold any sensitive information.

From the first screenshot, yes it is!