EmailJS
Is it okay to expose my Public Key? #19
-
|
I'm new to working with APIs, so forgive me if this seems obvious. I wanted to use EmailJS for a contact form that I have on my website. From the example given in the docs, it looks like I inject my public key directly into the sendForm call. My website is fully front end so I won't have a way to hide this key. Am I leaving myself vulnerable if I do this? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
That's why it's called the Public Key :) |
Beta Was this translation helpful? Give feedback.
-
|
I didn't have time to answer in more detail, so I'll add this answer now. Indeed, someone could copy your keys (a well-known issue of any public API), but they will only be able to send your templates, with your content, and will not be able to send a custom email with their own content (spam). Which is absolutely not interesting for spammers. A better way to think of EmailJS in terms of security is not as a service that allows you to send emails from your code, but rather as a service that allows you to create a predefined set of emails via the dashboard, and then just trigger the emails from the code. This is quite similar to how emails are usually sent via a proprietary server code, and also to the way products like Intercom or customer.io are working. Additionally, we've also developed various tools to prevent abuse – for instance, a whitelist of origin, reCAPTCHA tests to make sure that a human is sending the email, etc (although it's up to the developer to turn this feature on). |
Beta Was this translation helpful? Give feedback.
That's why it's called the Public Key :)