So I have a flutter app that logs to Rollbar. The https requests require an API key (restricted to just being able to submit logs) which will be the same for all clients.
Is it good practice to keep this key protected somehow or should it just be hard coded in the app?
If it should be protected, what is the best strategy for handling this?
Rollbar uses two kinds of API keys: one to be used on backend servers, and the other is used in your Javascript browser client.
The backend token is never shared and should be kept secure. The client token can be (or is automatically) scoped to not allow any actions other than posting events.
The client token is visible using dev tools, even if you take steps to obfuscate it. If your token is abused, you can generate a new token and retire the old one. Your best strategy for token management is one that allows you to easily update it if needed. Rollbar also allows blocking by IP address, if you need to block a specific known offender.
Here's Rollbar's doc: https://help.rollbar.com/security/preventing-client-side-access-token-abuse