When you integrate a commodity pricing API into your application, the API key is the credential that controls access and billing. Mishandling it can lead to unauthorized usage, unexpected charges, or service disruption. This guide covers practical security patterns for managing API keys in different application architectures.
The Core Principle
Never expose your API key in a context where unauthorized users can see it. This sounds obvious, but the specifics vary significantly depending on your application architecture.
Server-Side Applications
For server-side applications like a Python script, Node.js service, or backend API, the standard approach is environment variables. Store your ScrapMetal API key in an environment variable rather than hardcoding it in your source code.
Never commit API keys to version control. Even in private repositories, keys in code create risk if the repository is ever made public, shared with contractors, or compromised. Use a .env file for local development and add it to your .gitignore file. For production, use your hosting platform's secrets management: Railway, Render, Heroku, and AWS all provide secure environment variable configuration.
Client-Side Applications
Browser-based applications present a unique challenge. Any API key included in client-side JavaScript is visible to anyone who opens browser developer tools. For commodity pricing dashboards and similar client-side apps, the solution is a backend proxy.
Build a thin server-side endpoint that your frontend calls. This endpoint adds the API key to the request and forwards it to the ScrapMetal API. The client never sees the actual API key. The proxy also lets you add caching to reduce API calls and rate limiting to prevent abuse.
If you must use client-side API calls, the ScrapMetal API supports domain restrictions. Lock your key to your specific domain so that even if someone extracts the key, they cannot use it from a different origin.
Mobile Applications
Mobile apps face similar issues to client-side web apps. The API key should not be embedded in the app binary where it can be extracted through decompilation. Use the same backend proxy pattern as client-side web apps.
CI/CD Pipelines
If your tests or build process calls the ScrapMetal API, use your CI platform's secrets feature to inject the API key. GitHub Actions, GitLab CI, and CircleCI all support encrypted secrets that are available as environment variables during the build but not visible in logs.
Key Rotation
Periodically rotating your API key limits the damage if a key is compromised. The ScrapMetal API dashboard lets you generate a new key and deactivate the old one. Plan your rotation process so you can update the key in all deployed services without downtime. Using environment variables makes this straightforward since you update the variable value without changing any code.
Monitoring Usage
Regularly review your API usage on the ScrapMetal API dashboard. A sudden spike in calls could indicate that your key has been compromised and someone else is using it. Set up usage alerts if available so you are notified of unusual patterns before they become costly.