securitysveltekitghost-blog

How does one secure api keys on sveltekit 1.0


I am using ghost, i made an integration and i would like to hide the api key from the front-end. I do not believe i can set restrictions on the ghost cms (that would also work). And i do believe so +page.js files are run on the browser also, so im a little confused on how to achieve this?


Solution

  • The interal sveltekit module $env/static/private (docs) is how you use secure API keys. Sveltekit will not allow you to import this module into client code so it provides an extra layer of safety. Vite automatically loads your enviroment variables from .env files and process.env on build and injects your key into your server side bundle.

    import { API_KEY } from '$env/static/private';
    // Use your secret
    

    Sveltekit has 4 modules for accessing enviroment variables