Distribute An Application Without Revealing The Api Key


Recommended Posts

I'm currently writing an application with Node.js which uses the BTSync API. Reading through the emailed materials and the Terms of Use, it appears that BitTorrent wants the API key to be kept secret. How do I distribute the application without revealing the API key? How can users use the included config file without seeing the key? And how do I ensure that the key is not revealed when the application itself is open-source?


One solution I can think of is to create a closed-source executable binary in a language like Java, C, or Python (using cxfreeze) for each system which serves solely to start the BTSync instance with the config. That doesn't seem ideal, but I am willing to take that route if necessary. Is there another solution?

Link to post
Share on other sites
  • 2 weeks later...
  • 4 months later...

I'm looking to build an updater for a multimedia application (I work for a school). This updater will be responsible to sync video files across multiple computers, which means it must be installed on all of them. Thus, I'm also interested in this question... What can I do to prevent the users from being able to see the API key?

Link to post
Share on other sites

Pssssst... it's a dead link

@delegatevoid / @all - it's not a "dead link" as such, it's just a post that's posted in an area of the forums that not everyone has access to.


So for reference, here's the response Roman is referring to:


Hi all,

Here are some clarifications to the API terms:

1. It is allowed to share the API key during the development cycle between developers on that project and is not considered as a Terms violation.

2. It is allowed to include the API key in non-compiled programming languages, where including it is needed for their Application to work.

3. It is prohibited to include API key to public repositories. When a project is compiled - you can keep the key inside, but other developers who download sources from public repository should not get your key. In order to compile the project they need to get their own API key.

Link to post
Share on other sites
  • 3 weeks later...

Out of curiosity, what's the purpose of the API key? Or rather, how is it validated? If it's validation depends on connecting to a main bittorrent.com server, my implementation won't work if I'm using in a LAN-only environment with no external internet access.


Any clarification on this is welcome.

Link to post
Share on other sites


This topic is now archived and is closed to further replies.