保护客户端应用程序中的YouTube v3 API密钥 [英] Protecting YouTube v3 API key in a client-side application

问题描述

我正在查看以下指南：和 https://developers.google.com/youtube/v3/revision_history 前进。

I'm looking at the following guide: https://developers.google.com/youtube/v3/getting-started

The first step of interacting with YouTube's API is:

You need a Google Account to access the Google Developers Console, request an API key, and register your application.

And they continue on to show an example where they use the key:

URL: https://www.googleapis.com/youtube/v3/videos?id=7lCDEYXw3mM&key=YOUR_API_KEY &part=snippet,contentDetails,statistics,status

I have a client-side application which is used by many people. The application issues search requests to YouTube's API. YouTube's API has a request limit of 50 million requests per day.

Since it's a client-side application, my API key is embedded into the code.

Today, a malicious user scripted something to max out the requests:

I'm wondering what recourse I have to be able to defend against this sort of activity. Is my only option to host a server, route all needs for YouTube's API through my server, and deny requests when they come too frequently?

I have real concerns about implementing something like that. It would effectively double the wait time for every API request and also tax the server a seemingly unnecessary amount, but perhaps it is needed.

Do I have any other options available to me?

Thanks

解决方案

This was due to a quota cost increase, it's temporarily reverted. We'll announce cost changes in http://apiblog.youtube.com/ and https://developers.google.com/youtube/v3/revision_history going forward.

这篇关于保护客户端应用程序中的YouTube v3 API密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！