Since the API is free to use, the only real problem with someone stealing your API key is that they can create an application whose requests come from yours (from API's point of view). I can't really think of a way of abusing the API (apart from perhaps trying to mount a DDoS attack) that could get you in trouble. On principle, it's good to hide your API key from users but, in this case, not doing so wouldn't be too much of a problem. If you are using the 2nd option and are worried about people making api requests, you could limit the server-side script to only make requests for certain parts of the API (e.g. search, movie/images) rather than using the client-side ajax request to spoon-feed the server-side script on which requests to make (e.g. script.php?search=die+hard instead of script.php?query=search/die+hard or script.php?query=movie/550/images

In my opinion, it's all about how much you're doing with the API. For some basic film retrieval stuff do whatever is easiest. If you get into using some session and account features it might be better to put that in a server side executed script.

The only thing to remember is to properly set the users request IP and pass that through to the request your server makes. Our request rate limiting is only imposed by IP address, not API key.

Cheers.

Thank you very much for your replies

I think you're right; without accessing account features, there's little protection required. In this case I will only be fetching film & actor information and, given the private nature of the application, the risk is negligible.

Still, it has been very useful to think through the problem thoroughly.

Thanks again.

@Travis: Sorry to reopen the thread, but what do you mean by "set the users request IP and pass that through to the request your server makes"? I'm trying to setup a Javascript side as well, forwarding it through my server to avoid exposing my api key, but if the server makes the request, wouldn't its IP be the one logged in TMDb's rate limiting?

I need to double check with our ops team but I believe we should support the X-Forwaded-For header. You can read more about it here: http://en.wikipedia.org/wiki/X-Forwarded-For

Can TMDB provide "domain-restriction" feature for the api keys we generate? This will reduce lot of support requests.

For example, key1 could be set to use "mydevdomain.org" -- if the api key is used from any other domain (e.g stolen), TMDB can just reject that request .

Google/others provide such security so a stolen key would essentially be useless. https://miro.medium.com/max/700/1*hZMO_rI-QmTJqs41e1H5dA.png

Most users don’t have a website though, so sure, it will help those who do, but if we’re only able to secure ~5% of the requests, the overall net benefit is very small.

Is there a way to avoid apikey in url? eg setting some value in header?

https://stoplight.io/blog/api-keys-best-practices-to-authenticate-apis/

x-api-key The most popular choice, perhaps due to its usage by AWS API Gateway, x-api-key is a custom header convention for passing your API key.

GET / HTTP/1.1 Host: example.com X-API-KEY: abcdef12345

Thanks, was able to set bearer token in header https://developers.themoviedb.org/3/getting-started/authentication#bearer-token