问题
Referring to the highlighted API key in the below image, I am wondering if the Blogger API key that's used for browser apps should be kept secret.
The reason I ask is because I'm planning to write a blog post about using the Google Blogger API in JavaScript and would have liked to provide a working example using the API (along with the API key in a code example) publicly on jsFiddle.
This is what I've found in the documentation (highlighted notable section):
[...] When your application needs to call an API that's enabled in this project, the application passes this key into all API requests as a key=API_key parameter. Use of this key does not require any user action or consent, does not grant access to any account information, and is not used for authorization.
So am I right to assume that I can publicly share this API key without running the risk of having someone do a malicious act with it?
回答1:
While no account information, authentication and other stuff can be obtained by the key alone, it's used to link API calls to a Google Project.
If the key is publicly available people could do requests with it and the Google API would link the requests to your Google Project. This could give malicious users the ability to spam requests with this key, probably making your account hit the daily request quota.
In the end it's up to you, but it's recommended not to make your API key public.
来源:https://stackoverflow.com/questions/16147291/should-i-keep-my-blogger-browser-apps-api-key-a-secret