Credentials Security

Keep your credentials secure

Remember, don't share your account information with anyone, including your API key!

For your login credentials, take the same precautions as you would with your League of Legends account.

Regarding your API key, this key is tied to your League of Legends account and will be used for your application. If someone has access to your key, they can potentially use it for their own purposes, leaving you without one or with a severely diminished rate limit – even entering your key into another application can be dangerous! You should also make sure that you are using SSL/HTTPS when accessing the APIs so that your key is kept safe. You don’t want anyone else consuming your traffic and making it impossible for you to build your app. Protect your key so that everyone can see the awesome things you build!

Note that embedding a key in a distributed client application, like a desktop or mobile application, means that your key can be compromised. Even secure storage or encrypted keys on a client can be breached. The only way to ensure your API key remains safe is to have the client application access your own server, which then makes the appropriate request to the API using HTTPS. Even in the worst case scenario, if someone does manage to get your key from your server, through a man-in-the-middle or other type of attack, you can easily regenerate your key and update it in your server. If you have a key distributed across numerous client applications, you won't be able to do that without breaking all of the clients.

For similar reasons, generally you should not commit your API key to your code base, especially if you plan on building a distributed binary from that code base. Even if your code base is for a server application, we recommend reading your API key from a configuration file running on the server, rather than committing it to the code base. This practice limits your exposure to only the boxes that the server is running on, allows you to easily swap out keys without having to rebuild and redeploy, and prevents accidental sharing of your keys if you ever open source or otherwise share parts of your code.

Note that for teams working together on an application, there will be an obvious need to share an API key for your application. Our intention is not to discourage sharing along these lines, but rather sharing with people outside of your organization or who are working on other projects.

Sometimes people post their API keys on the forums when they are asking for help or giving code examples. Please note that if you do this, we will edit the post to remove the key and then regenerate your key on your account.