Why putting API keys in Flutter apps is dangerous

Mobile and desktop apps built with Flutter are not private. Compiled apps can be decompiled and inspected. Any API keys included in the Flutter apps are therefore exposed.

This means that any API key shipped in your Flutter app can be reused by others, leading to unexpected usage, quota overages, or security breaches!

Common ways client-side keys are exposed

  • HTML: In case of Flutter Web, the API keys will be visible in plain text. Oops.
  • Reverse engineering: mobile apps can be unpacked/decompiled. An attacker can then easily find your API key.
  • Network interception: Rooted devices or engineered networks can inspect requests, which also include your API keys.

For these reasons, you should never use private API keys in a Flutter app. But if you need to access third-party AI services from your Flutter app, what can you do instead?

Solution (hard mode) — use a secure server-side proxy

Rather than calling third-party AI APIs directly from the client, route requests through a server-side proxy. The server must make sure that requests actually come from your users, and that they are not able to make more requests than they paid for.

This means that your server must authenticate and authorize requests before forwarding them. That server must also keep track of usage per user. Finally, it must keep track of payments made by every user, such that it can adjust user quotas accordingly.

That's a lot of work, and sensitive to mistakes. And honestly, it's super boring. That's why we built one for you.

Solution (easy mode) — PromptProxy, 3 lines of code

PromptProxy is designed to be a safe, server-side drop-in replacement for using AI tools.

  1. Sign up for PromptProxy and configure your AI provider API keys in the dashboard.
  2. Point your Flutter app at PromptProxy's OpenAI-compatible endpoints (e.g. https://api.promptproxy.com/v1/chat/completions)
  3. Add a user authentication token to each request (e.g. in the Authorization header)

If this sounds unfamiliar, don't worry. We have a number of open source templates that you can use.

← Back to Documentation