Skip to main content

Security Guidelines

Securing Your API Key

Your Moralis API key is a sensitive information that will give access to all Moralis API for those who hold it. In other words, if your Moralis API key is exposed to bad actors, they will be able to abuse your Moralis API usage while you pay the bill for those unauthorized usage.

In order to avoid such scenario, it is best practice for you to always follow these security guidelines when using Moralis:

Step 1: Store your API key as secrets

It is highly recommended that you separate your Moralis API key and your code. For the separation, it is best practice for you to store your Moralis API key as an environment variable, specifically in secrets manager for production environment and .env files for local environment.

To add your Moralis API key as environment variable in your local environment, first you will need to install package that will enable you to inject those environment variables into your project.

# Read more about Dotenv at https://www.npmjs.com/package/dotenv
npm install dotenv

After installing the necessary package, create a .env file to store your Moralis API key and have your .env file in .gitignore to avoid accidentally pushing your .env file to public repositories.

# Get your Moralis API Key at https://admin.moralis.io/web3apis
MORALIS_API_KEY=xxx

Once all are setup, you can use the installed package to read the environment variable to get the Moralis API key to be used in your code.

const Moralis = require("moralis").default;
const dotenv = require("dotenv");

// inject environment variables
dotenv.config()

const apiKey: string = process.env.MORALIS_API_KEY;

In production environment, secrets manager setup will differ from one platform to another. However, the similar principles apply where you'll need to store your Moralis API key as an (encrypted) environment variable, with MORALIS_API_KEY as the key and the API key as its value.

Step 2: Avoid API Calls from the client-side

Moralis API key is used in the header of any Moralis API calls. In general, as long as the API call is made through HTTPS, unauthorized third-party will not be able to get your Moralis API key as it is encrypted.

However, if the API call is made through the client-side, this will expose all the API call metadata, including the header information which contains your Moralis API key. As a consequence, if there is a technically savvy bad actor using your dapp, they will be able to steal your API key from the client-side and abuse it without your authorization.

It is important to note as well that if you make any Moralis API call on the frontend, storing the Moralis API key as secrets, as explained in the previous step, will not help. This is because once the API key is injected to your client-side dapp, it will likely be accessible to JS and therefore vulnerable to XSS attack.

In order to avoid bad actor stealing your Moralis API key, it is recommended that you make all Moralis API calls from the server-side. If you are integrating Moralis to your NodeJS or Python project, you can achieve that by using our backend-focused Moralis SDK. For NextJS users, we also provide client-side package @moralisweb3/next to call Moralis API from NextJS backend using React Hooks.

References

Next Steps

To secure your dapp even further, we have more in-depth guides on specific APIs:

Support

If you face any trouble following the tutorial, feel free to reach out to our community engineers in our Discord or Forum to get 24/7 developer support.