Comment by Nick Kramer on "We are the devs from Team Netlify, Ask us anything!"

Thanks for doing this AMA and for everything you all do at Netlify! I love the service!

When it comes to setting up a JAMStack site, what is the best way to handle authentication with services that require API keys or some form of authentication? We obviously don't want them just hanging out in the front end willy nilly, and I've heard of having a possible serverless function or service that handles all API related calls, but I could see that possibly being abused.

I've found it hard to find a good answer for this, which could totally be improper wording.

Thanks for your question! You’re absolutely spot on, auth is a really hard problem to get right! When it comes to JAMstack, auth can be handled using any auth as a service library like Auth0, Okta or Netlify Identity, which is an auth service we offer to Netlify users. As for API keys and making sure those don’t get leaked, serverless functions as you mentioned are really handy for that. Netlify support env variables, so you could pass in API keys to your functions that way. You could also use a service like AWS Parameter Store to store your secrets, and I believe that integrates nicely with the Serverless Framework, if you choose to go down that path. The downside to the approaches ,mentioned of course if that it’s possible for malicious users to abuse functions since environment variables can become exposed as a result. One way to potentially counteract this is to make sure that your function end points are not “guessable”, meaning that you could do a redirect so accessing /api actually routes to /.netlify/functions/WHATEVERFUNCTIONNAME which performs an API call to whatever service you're trying to access. Hope this helps!

That clarifies a lot and definitely gives me, and anyone else, a good starting point. I'm going to just jump off and mess around with functions and auth this weekend if I can find enough time!

Thanks so much for the info and all of the information and insights from podcasts like Views on Vue!

For sure! If you'd like an example of how to work with env variable and functions when accessing an external API in Netlify, I wrote a blog post recently that may be helpful, complete with code samples to play around with. Also, more importantly, it comes with free pizza recommendations if you ever find yourself in Chicago! -> netlify.com/blog/2019/05/29/creating-a-map-of-the…

In addition to Divya's post, you might also find this example of a serverless function which acts as a proxy, adding a secret API and calling a service.

github.com/depadiernos/token-hider-inator

I find these useful to dip into... a wide range of examples and references gathered here.

functions.netlify.com/examples

Thanks again both of you for your awesome work and for some great resources!

Search Hashnode