<aside>
👋
The current state is the same as most other platform with API keys, it's up to the dev to protect their keys.
</aside>
Context
Most platforms don't provide any anti abuse measures for client side API keys and just leave it to the dev to handle protecting their key, but Aptos Build aims to reduce the amount of infra our devs need to run and make their integrations as easy as possible. To that end, we should consider enhancing our client side key protections further.
Ideas
- Verify user agent, referer, etc
- Geolocation restrictions
- Let dev specify an allowlist of queries supported by the key (eg for particular endpoints / resources).
- This would be challenging given our various API upstreams and their complex query patterns. For example, path params and BCS requests for the node API, POST requests for GraphQL. But not impossible.
- Short lived API keys / session keys.
- Probably easily defeated by bad actors.
- recaptcha (would introduce non trivial additional latency)
- Attempt to enforce browser context, eg pixel magic, canvas / web fingerprinting.
- ML magic akin to cloud armor.
- Some kind of authentication based rate limiting, eg make the user log in and then include some identifier for them with requests. This would require some way for the dev to give us access to the authorised identifiers (they give us access to an API essentially).
- Signatures using a wallet could be used for this, but since accounts can be made for cheap, there'd have to be some additional verification (eg account has a particular on chain resource).
- Ability to block specific IPs. Probably most powerful paired with the ability to populate the blocklist based on an API provided by the dev.
- Block requests based on x-aptos-client.
The query allowlist is probably the most effective option, abusers will be dissuaded from using a key if it only works for certain queries.
We should give the dev the option to turn on / off detailed error messages when a request is rejected. If they turn off the detailed error messages, it'll be harder for abusers to figure out why they were blocked.