My inexperience has left me short of understanding how to hide an API Key. Sorry, but I've been away from web development for 15 years as I specialized in relational databases, and a lot has changed.

I've read a ton of articles, but don't understand how to take advantage of them. I want to put my YouTube API key(s) on the server, but have the client able to use them w/o exposure. I don't understand how setting an API Key on my server (ISP provided) enables the client to access the YouTube channel associated with the project. Can someone explain this to me?


I am not sure what you want to do but for a project I worked on I needed to get a specific playlist from YouTube and make the contents public to the visitors of the website.

What I did is a sort of proxy. I set up a php file contains the api key, and then have the end user get the YT content through this php file.

The php file gets the content form YT using curl.


The way to hide the key is to put it in a PHP file on the server.This PHP file will the one connecting to youtube and retrieving the data you want on your client page.

This example of code, with the correct api key and correct playlist id will get a json file with the 10 first tracks of the play list.

The $resp will have the json data. To extract it, it has to be decoded for example into an associative array. Once in the array it can be easily mixed in to the html that will be rendered on the client browser.

        $apiKey = "AIza...";
        $results = "10";
        $playList = "PL0WeB6UKDIHRyXXXXXXXXXX...";

        $request = "https://www.googleapis.com/youtube/v3/playlistItems?part=id,contentDetails,snippet&maxResults=" . $results .
                   "&fields=items(contentDetails%2FvideoId%2Cid%2Csnippet(position%2CpublishedAt%2Cthumbnails%2Fdefault%2Ctitle))" .
                   "&playlistId=" . $playList .
                   "&key=" . $apiKey;

        $curl = curl_init();
        curl_setopt_array($curl, array(
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_URL => $request,
            CURLOPT_SSL_VERIFYPEER => false

        $resp = curl_exec($curl);

        if (curl_errno($curl)) {
            $status = "CURL_ERROR";
            // check the HTTP status code of the request
            $resultStatus = curl_getinfo($curl, CURLINFO_HTTP_CODE);
            if ($resultStatus == 200) {
                $status = "OK";
                //Do something with the $resp which is in JSON format.
                //Like decoding it into an associative array
            } else {
                $status = "YT_ERROR";

<!-- your html here -->

Note: CURLOPT_SSL_VERIFYPEER is set to false. This is in development. For prod it should be true.

Also note that using the api this way, you can restrict the calls to your api key bounding them to your domain. You do that in the googla api console. (Tip for production)

