Modern APIs with FastAPI and Python Transcripts
Chapter: Building a realistic API
Lecture: Setting the API key (keeping secrets safe)
0:00 Let's take a minor diversion and just give you a quick warning about putting stuff in
0:04 to GitHub, especially public repo's like this one and how we might go about
0:08 dealing with this API key.
0:10 There's a bunch of options, I'll show you pretty straightforward and simple one.
0:13 Have you heard of this? Git, as in secrets in Git? Look at this.
0:17 So if we come over here and you go over to shhgit, this is,
0:21 a thing that watches GitHub,
0:23 all of GitHub, and you can see it's refreshing here with the various secrets that
0:28 it's finding. And notice, it's already found seven or eight secrets,
0:33 Django configuration files, AWS access keys,
0:36 all sorts of horrible, horrible stuff.
0:38 It's doing this by just hooking into overall public change
0:43 log of GitHub. Something along those lines. You can read about how it works.
0:46 How terrifying is that? So you really,
0:51 really want to make sure that this does not get into GitHub?
0:55 What we're gonna do is we're gonna go over here.
0:57 I'm gonna create a file that is going to give us the structure we need,
1:01 but we're gonna make sure it does not get the secret.
1:04 So it's gonna be settings, we want to a settings dot
1:06 JSON. We're not gonna put that in to GitHub,
1:08 so we need an easy way to recreate it.
1:11 We're gonna say template. Okay.
1:15 And over in the template, it's gonna have two things, an API key,
1:18 which will be "abc" and a kind of action.
1:24 Let me copy a little bit better description for you.
1:27 Really all we care about is the API key.
1:29 But we want something like, Hey,
1:31 copy this to settings.json and make sure it does not get committed in to
1:35 GitHub. so PyCharm sometimes will automatically add this,
1:38 which means it's a little suspicious.
1:41 So let me close this. I'm gonna go over and add that file,
1:45 make sure it's ignored in GitHub,
1:46 Then we'll carry on. Alright,
1:48 here we are, outside of PyCharm.
1:50 I'm going to create a copy of it.
1:51 Call it just settings.json.
1:53 I'm gonna use, I'm a big fan of source tree,
1:56 so I'm gonna go over to source tree and tell it that this is being ignored
2:01 in this repo. Here we go.
2:03 Alright, so now it should be safe to go back to PyCharm,
2:07 and it won't automatically add that to GitHub. Notice it was there for a second
2:11 then it went away. I think it will
2:12 go back to gray. See this color,
2:14 this golden color? That means it's ignored in Git.
2:18 Now, this one is not that color,
2:20 But I'm pretty sure it's gonna be fine.
2:22 Yeah, There you go. Just needs some change detection.
2:24 So this is ignored and not going to get into shhgit and all the other
2:27 things and I'm gonna pause the video,
2:30 put my API key in there,
2:31 you would put yours right there, and then we'll carry on. Alright now, hiding in
2:36 my settings.json is my API key,
2:39 but we're not gonna talk or worry about that.
2:41 What I need to do is now configure API keys like this,
2:46 and that's a thing we gotta write down here.
2:49 And what we're going to do is I'm just gonna do a little bit of standard
2:53 file io, we're not gonna worry too much about how it works.
2:55 I'm just gonna drop it in here. I'm just going to import pathlib
2:58 path like so we're gonna import JSON to read the JSON.
3:03 And what I've done is over here in open weather service,
3:08 I've given it an API key,
3:09 so we could just set that once globally and then use it for all our requests.
3:13 So back here, change this to API key,
3:17 so it doesn't think it's misspelled.
3:18 There we go. So we're just gonna set this API key here like
3:21 that with the value we got out there,
3:23 and off it goes. We're gonna also check that the file exists.
3:26 So if for some reason it doesn't exist,
3:28 It'll give us a warning, So let's run it. If it starts up
3:31 okay, Cool. It found the settings.json
3:34 and it set that API key.
3:37 Alright, this is one super,
3:38 super simple way to handle having a secret.
3:40 We just have to copy, create and copy this,
3:43 like in our production, or whenever we get a new dev machine,
3:46 you could also do it in environmental variables.
3:48 Sometimes what I'll do is I'll have the settings directly embedded in source code,
3:53 but they're encrypted and I'll just set the encryption key.
3:56 That way, if there's a whole bunch of different things like mail chimp and stripe
4:00 and digital Ocean and just like all these API keys,
4:03 You have one setting you have to set up to get your machine ready to go
4:06 and then you can decrypt all of them.
4:08 But you don't want to put them in there by themselves,
4:11 as you saw because of the shhgit stuff.
4:16 That's scary. But we definitely, definitely don't want to be part of this little fun
4:21 happening right here. Alright,
4:23 so now we've got our API key. Again,
4:25 you have to create an account and get a free account,
4:27 get the free API key and do the same thing.
4:30 Take the settings_template.
4:32 json, copy the settings,
4:35 put your API key in there, you'll be good to go.