I am setting up Amplitude Analytics with my app and because of the nature of Expo and React Native I am trying to figure out if the API key I include in the code will be public. I don’t want people getting it and sending data as me. Is this a concern? What are other people doing? Right now I have the raw API Key just sitting in the code. Is it possible to protect this with React Native and Expo considering there will be OTA updates? Is this even something I should worry about?
All apps (Expo or not) will have this problem, especially since you can always inspect HTTP traffic to find keys. The only way to prevent the key from being public would be to route amplitude requests via a server you control (and re-send that data to amplitude with your key), but with enough effort, someone could always POST fake data to your server too.
1 Like