Managing API Keys

Capture Date: 03.07.2018 21:28:06

In the previous lesson we acquired the secret access token we’ll use to request information from the Yelp Fusion API. But as you know, API keys, tokens, and credentials should not be stored directly in source code pushed to GitHub. This simply isn’t secure; especially if the API has a rate limit, charges for use, or provides access to sensitive information. We don’t want others obtaining our credentials!

Thankfully we can easily conceal our API keys, similar to what we did in JavaScript. The process is a tad different in Android, but we think you’ll get the hang of it quickly. In this lesson we’ll discuss how to obfuscate API credentials in Android apps, as we walk through integrating our Yelp access token into MyRestuarants. Once our API key is safely integrated we’ll begin constructing our first API call in upcoming lessons.

Hiding API Keys

1. Add Credentials to

First, we’ll add our new token the file located in the root directory. is simply a file where properties and configuration settings for gradle-built projects reside.


We must include a space between Bearer and the access token itself. And the term Bearer must be capitalized. This format looks a little funny compared to API credentials you’ve likely seen in the past, but it’s simply what this particular API requires. If we don’t follow this exact format, we won’t be able to successfully retrieve data.

2. Ignore

Next, let’s hide our file from GitHub by adding it to .gitignore so that the credentials we just listed will not be pushed to Github:


*.iml ... /

If you don’t see a .gitignore file in your project’s directory, you may have to switch from Android view to Project view in Android Studio. The Android view displays only the key source files of an Android project, whereas Project displays all files.


If you’ve already committed file to your Git repository you’ll have to retroactively remove it in order to begin ignoring it moving forward. To remove files listed in r .gitignore from your local repository, run the following command:

$ git rm --cached -r .

This will reset which files are staged for committing. You should be able to run $ git status, and see that all files are unstaged (including After this, you can $ git add . and $ git commit -m "your commit message" again, and your new commit should not contain For more details, check out the Removing Ignored Files from a Project section in this Java lesson.

3. Initialize String Constants

Next we’ll create a class to contain references to our Yelp credentials. Right-click on the primary package containing our source code and select New > Java Class. Name this new class


Within this file we’ll include the following code referencing the access token from

public class Constants { public static final String YELP_TOKEN = BuildConfig.YELP_TOKEN; }

Here, we’re instructing the application that the value for our YELP_TOKEN constant can be found in the BuildConfig file. is a file that is generated automatically when gradle builds our project. You’ll likely receive an error when you add the code above. But that’s alright, this is simply because we haven’t added YELP_TOKEN to our Build Config yet. We’ll do this next.

4. Connect Credentials When the Project Builds

Next, let’s instruct our application to include our token in the BuildConfig file when it is created. We’ll add the following to our build.gradle file:

build.gradle(Module: app)

apply plugin: '' android { ... buildTypes.each { it.buildConfigField 'String', 'YELP_TOKEN', YelpToken } }

Here we’re instructing our application to include the token placed in in the BuildConfig file when it is built. The keys in our class will now refer to the strings added to at runtime. And none of our credentials will be visible on GitHub!