Distribute An Application Without Revealing The Api Key

[cheese1756]

I'm currently writing an application with Node.js which uses the BTSync API. Reading through the emailed materials and the Terms of Use, it appears that BitTorrent wants the API key to be kept secret. How do I distribute the application without revealing the API key? How can users use the included config file without seeing the key? And how do I ensure that the key is not revealed when the application itself is open-source?

 

One solution I can think of is to create a closed-source executable binary in a language like Java, C, or Python (using cxfreeze) for each system which serves solely to start the BTSync instance with the config. That doesn't seem ideal, but I am willing to take that route if necessary. Is there another solution?

Edited March 5, 2014 by cheese1756

[abhibeckert]

Switching to something closed source/compiled will not hide the API key. Anyone who knows what they're doing can extract it

[Timbo]

Are they expecting to provide their own developer API using the open source? If so, then you can remove yours and have them insert their own.

[marc321]

I'm looking to build an updater for a multimedia application (I work for a school). This updater will be responsible to sync video files across multiple computers, which means it must be installed on all of them. Thus, I'm also interested in this question... What can I do to prevent the users from being able to see the API key?

[RomanZ]

Hi,

 

Please take a glance at my response here. It should address your question.

[delegatevoid]

Hi,

 

Please take a glance at my response here. It should address your question.

 

Pssssst... it's a dead link

[GreatMarko]

Pssssst... it's a dead link

@delegatevoid / @all - it's not a "dead link" as such, it's just a post that's posted in an area of the forums that not everyone has access to.

 

So for reference, here's the response Roman is referring to:

 

Hi all,

Here are some clarifications to the API terms:

1. It is allowed to share the API key during the development cycle between developers on that project and is not considered as a Terms violation.

2. It is allowed to include the API key in non-compiled programming languages, where including it is needed for their Application to work.

3. It is prohibited to include API key to public repositories. When a project is compiled - you can keep the key inside, but other developers who download sources from public repository should not get your key. In order to compile the project they need to get their own API key.

[RomanZ]

My bad, indeed, it was on closed forums. 

 

@GreatMarko - thanks for bringing the clarifications here!

[marc321]

Thanks, gentlemen.

[marc321]

Out of curiosity, what's the purpose of the API key? Or rather, how is it validated? If it's validation depends on connecting to a main bittorrent.com server, my implementation won't work if I'm using in a LAN-only environment with no external internet access.

 

Any clarification on this is welcome.