I am using some web API that operates by providing an API key (40 character string).
Upon registration to this service, i (the developer) gets this key which is unique per user.
Every call to the API looks something like a POST call to:
http://www.someservice.com/api/method
Where the actual data passed in the request contains:
apiKey=myKeyHere....
My question is -- how can i prevent users of my app revealing this API key?
This specific service provides highscore storage for games. Making my API key easily accessible means that players of my game will be able to issue their own requests for registering highscores.
I would like to either HARD CODE it into the code (less ideal solution) or keep it in some binary/configuration file that cannot be used to determine the actual string.
The scenario i would like to prevent is users getting this key, and submitting messages using it to the server instead of my app.