FAQ

How do I not leak my API key?

When you are writing your own integration for kapa based on the API you will be faced with the question of where to put your API key so it is secure. No matter what you are doing you should never put your API key into client side code that runs on the users browser. It is impossible to hide an API key in your client side code. Users will be able to grab it from the browser and start making programmatic requests to your kapa instance. This you need to avoid.

If your integration runs behind a login the solution is straightfoward. You can add some new authenticated routes to your backend that forward requests to the kapa api. Then you securely store the kapa API key serverside and add it to your requests before forwarding.

If your integration is not protected by an authentication flow this problem gets slightly harder. In this case you can not as easily hide your API key serverside because how do you stop people from calling your kapa instance through your own backend? You have no means of authenticating requests to your proxy routes.

One possible solution in this scenario is to use a captcha. There are many different providers for captcha solutions you can pick from. Most of the providers will have a frontend SDK available you can use. You integrate this code into your client side code. When the user is interacting with your integration this code will try to determine whether the interaction is human. If so your client code will receive a valid token. This token you can attach to the requests you are sending to your proxy routes. On the backend you can validate the token and only then forward the request to kapa. This way you can protect your backend routes without having traditional means of authentication like emails and passwords.