Best practices about how to hide API Keys in Julia applications

General Usage Performance
1

The Federal Reserve Bank of St. Louis in the FRED Economic Data website states that:

  • Developers should request a distinct API key for each application they build.
  • All users of an application shall use their own API key.

I have a small application written in Julia that downloads macroeconomic information from FRED and does some statistical analysis. Would like to distribute it to my students and to avoid potential misuse would like to hide the application API key from them (a very heterogeneous class).

I am considering to compile just a portion of my Julia application using PackageCompiler.jl - specifically the part that handles the API key and related functionality (only 3 functions). So, I would split my application into two parts:

  • A compiled module that handles all FRED API interactions
  • The main application code that students will see and modify

Would this be feasible (I never used PackageCompiler)? Are there best practises about how to achieve this in Julia?

2

I’m confused by what you’re asking - each user (student) should have their own API key, right? So there’s no need to hide it? It doesn’t sound like you (the developer) should be sharing your API key.

2 Likes
3

Yes, I am also confused by what FRED is asking developers to do: developers should request a distinct API key for each application they build. If there is no need to include an “inner” distinct API key inside each application, since it is up to the user to have its own, why do developers need to ask FRED for one API key for each application. Since English is not my first language, I may most likely be misunderstanding what FRED is asking developers to do.

4

If I understand correctly your statement, you should not distribute a code with your personal API key.

A generic (programming-language agnostic) approach will be to commit a “template” file with instructions how to make a private copy of it, what to name it, and how to get a personal API key and place it there.
Your code reads this file for the key.
Whenever the file is not present, you error with instructions mentioning the template file.

1 Like