Out now! Check out the Poll results: Do you have a Shopify store?
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Re: API key visible in embedded code

API key visible in embedded code

Andy_Million
Visitor
2 0 0

Hi all, I'm new to shopify and online retail. I did search for this, but found nothing (which seems odd).

 

I will be using the 'buy button' to sell products. All is well creating/styling the buttons. When I generate the code, I noticed my API key is visible for anyone to see if they view source on the webpage. This seems like a big security issue! How can I hide the API key easily?

Replies 9 (9)

Jason
Shopify Partner
11206 226 2315

The API keys used in the Buy Button are fine to be seen. They don't comprise the security of your store and give access to online storefront data only (aka, the stuff you can already see on the store).

★ I jump on these forums in my free time to help and share some insights. Not looking to be hired, and not looking for work. http://freakdesign.com.au ★
Chrisjean101
New Member
11 0 0

Hey Jason,

 How about if the API key is visible for other items?

Gregarican
Shopify Partner
1033 86 292

This was my concern when it comes to the Storefront API. If that key has scoped access to customers I'm wondering if a malicious party could get to the customer access token. And therefore have access to a customer's personally identifiable information. Unless a Storefront API development scenario calls for it, I explicitly remove access to the Customers area for the API key... 

Chrisjean101
New Member
11 0 0

Do you think we should have pause for concern since this key is publicly visible?

meta name="shopify-checkout-api-token" content="fc99e8e5aeb53d116da2f3f61f0e"

Gregarican
Shopify Partner
1033 86 292

Here is some documentation about this --> https://shopify.dev/docs/admin-api/rest/reference/access/storefrontaccesstoken. The token inherits the default unauthenticated access scopes. There's a link to those specifics in the documentation as well. Shopify has a good amount of API documentation. Like most providers, it takes some work keeping it totally accurate and up to date. But it's pretty helpful!

Chrisjean101
New Member
11 0 0

Thank you. I had referred to this document initially which leads me to believe that specific token is safe to show publicly since its Read only. But It wasn't exactly clear but that's my assumption. It seems to be a newly emerging topic .

Gregarican
Shopify Partner
1033 86 292

You're welcome. The only thing I would check in terms of granted access scopes for the API key is when it comes to read-only for customers. If a malicious party were to snoop and somehow retrieve the customer token then I'm thinking they could pull PII (Personally Identifiable Information) for the customer. Maybe that's just me being paranoid though...

Chrisjean101
New Member
11 0 0

Totally understandable... at the same time I don't see how they'd be able to retrieve this from just having just the store token unless the customer was vulnerable already.

Andy_Million
Visitor
2 0 0

Thanks Jason, that's good to know!