This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 41%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
I am new to .Net MAUI but fairly experienced with ASP.NET CORE and Blazor. I'm developing a MAUI application that will allow a user to integrate with third-party services using API keys. My issue is, I'd like to store API Key securely and nobody can extract it using reverse engineering. How can protect API Key and other secrets?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
You can not safely ship an api key with the app. Normally the app would fetch the key (after validation of the user) from a trusted server and store the key securely as suggested above.
How to steal a key
https://approov.io/blog/how-to-extract-an-api-key-from-a-mobile-app-with-static-binary-analysis
To store secrets in your application, you may use SecureStorage.
Hope this helps
Should we store Payment Gateway API Secrets in SecureStorage?
Yes. See the example that is mentioned that writes oauth-token in the secure storage.
The details of securestorage implementation is platform specific. You may refer
Android: https://developer.android.com/topic/security/data
Hope this helps
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 93%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Don't you need other secrets to be able to fetch your secrets from the secure storage?
Secure store is only for secrets the user may know the value of, like a password. Never store an application api key on the client machine unless it ok for the client to know the value.
you should use user credentials to access the key, though the best approach is an api proxy server that validates the users access.
you should supply a web service api that you maui app calls. this web service should have the api keys. You should have the Maui app register the user with your api. Then the Maui app can use the user registration to access the site. If you use access tokens, you can store the token in a secure store on the client.