I’m working on a mobile app for our station that lets people listen in to our live broadcast, and I was going to add in a feature where it shows the currently playing song using the spinitron API. However, I’d need to use the API key to authenticate it, which either means putting it in the app (which then means making the API key public) or putting it in layers of backend that the app would connect to first (which someone could still connect through and get to the key eventually).
Since I don’t see any way for the key to be totally obscured, I was wondering if there was a way to make a key that only has read access to the API? Like, it can’t use the /post endpoint to add songs to the playlist? Then it wouldn’t be an issue if people are able to see and use the key.
I don’t really think that any of the people using the app would ever go through and get at the key, and even if they did I don’t think people would have an interest in adding songs to our playlists, but I don’t want to be the source of a security issue for our station nonetheless.