@herbcaudill/easy-api-key
Advanced tools
Password-encrypt API keys and secrets for bundling with your app. Decryption happens entirely in the browser using the Web Crypto API.
You want to ship an app that needs an API key, but you don't want to:
With this package, you encrypt your API key with a password, bundle the encrypted data with your app, and users enter the password to decrypt it at runtime.
pnpm add @herbcaudill/easy-api-key
Use the CLI to encrypt your API key:
# Interactive mode
npx easy-api-key -o src/encrypted-key.json
# Or pipe the secret
echo "sk-ant-api03-xxx" | npx easy-api-key -p mypassword -o src/encrypted-key.json
This creates a JSON file like:
{
"salt": "base64...",
"iv": "base64...",
"ciphertext": "base64..."
}
import { decryptSecret, type EncryptedData } from "@herbcaudill/easy-api-key"
import encryptedKey from "./encrypted-key.json"
const apiKey = await decryptSecret(password, encryptedKey as EncryptedData)
import { encryptSecret } from "@herbcaudill/easy-api-key/node"
import fs from "fs"
const encrypted = encryptSecret("my-api-key", "password123")
fs.writeFileSync("encrypted.json", JSON.stringify(encrypted, null, 2))
Usage: easy-api-key [options]
Options:
-o, --output <file> Write encrypted data to file (default: stdout)
-p, --password <pass> Use this password (otherwise prompts)
-h, --help Show this help message
The encrypted data is safe to commit to your repo. Without the password, the secret cannot be recovered.
Note: Once decrypted, your app will typically store the API key in memory or localStorage for the session. Consider the security implications for your specific use case.
The encrypted JSON file needs to be importable. Most bundlers (Vite, webpack, etc.) support JSON imports out of the box.
For TypeScript, you may need to add to your tsconfig.json:
{
"compilerOptions": {
"resolveJsonModule": true
}
}
MIT
FAQs
Password-encrypt API keys and secrets for bundling with your app
We found that @herbcaudill/easy-api-key demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A critical vm2 sandbox escape can allow untrusted JavaScript to break isolation and execute commands on the host Node.js process.
Research
Five malicious NuGet packages impersonate Chinese .NET libraries to deploy a stealer targeting browser credentials, crypto wallets, SSH keys, and local files.
Security News
pnpm 11 turns on a 1-day Minimum Release Age and blocks exotic subdeps by default, adding safeguards against fast-moving supply chain attacks.