How to protect Google Speech-To-Text API key if it's on client's computer?

Question

Quick overview: The application uses Google's Speech-To-Text to realtime convert the microphone input to text. Because of this, the API key has to be (?) on the cliënt's computer.

It's a webapplication embedded in Electron, so that it has access to the local file system and can start the server that communicates with Google's API. It then sends the received data to the webapplication via a websocket.

What I just realized was that no matter what language I write the server in, a very crafty user might be able to retrieve the API key from the code. How do I protect that key?

Answer 1

I encourage you to only distribute API keys as a last resort; API keys are effectively project-wide bearer tokens with limited constraints as to how they may be used.

You should be able to use service accounts.

Using service accounts you can:

• use >=1 service account for every customer enabling you to enable|disable users at the granularity of one customer or perhaps one customer business unit
• use|assume service account key rotation enabling you to promptly revoke mislaid|shared keys

See:

• https://cloud.google.com/docs/authentication/#developer_workflow
• https://cloud.google.com/speech-to-text/docs/reference/libraries#setting_up_authentication

You may wish to consider hosting rather than distributing your server. By hosting the server you increase your control over it, enable more rapid (continuous) updates, bug fixes etc., limit the ability of bad actors to reverse-engineer your code and limit the ability of bad actors to acquire your service account keys.