Can anyone use my api with private api key?

Hi all,

Just a curious question, with a private API key/token (storing it as an environment variable), will anyone be able to access and call my API? Since I am aware that environment variables are embedded into the build and can be inspected. Are there ways to protect my API usage, particularly for NuxtJS? (i.e. limit usage to only certain domain etc)

Hi Gabriel,

Thank you for contributing to the Prismic community.

I'm not sure I've understood the question. However, if you ask if somebody who has access to the deployed instance of your application can access this access token that you store in environment vars in a platform such as Netlify. The answer is that they will be able to access it.

But if you mean that if you deploy your application in Netlify, for example, and some lambda user tries to access your website, then it depends on your implementation.

If you are making calls to Prismic on the client side, then yes, anyone will be able to see their access token and make calls to Prismic using it.

If use environment variables and all the calls are made server-side, then there should be no way for your end website user to get and use the access token.

Please let me know if that answers your inquiry,