Let’s say that you are building a nice app, one that connects to a third-party service. Almost any API worth implementing uses an API key as part of basic authentication and security. Checking this into source control can expose your key to the public if you ever open-source your project (or parts of it).
The Gradle build system allows us a clean way to avoid this.
- Add the key to your
gradle.propertiesfile in your home directory under
- Import the key as a
resValuein your module-level
- Use the key in your Java or XML files as needed.
1. Defining key in build.gradle
.gradle folder in your home directory. Usually it can be found at:
Inside it there would be a file named
gradle.properties (just create it if there isn’t any).
After that, add your key to the file as a property. If your key was
my-awesome-api-key, the file after adding the key might look something like:
I prefer to use this format
<Project Name>_<Key Property Name> so that I don’t mix up keys for different projects by mistake.
2. Importing the key in your project
- Open your module-level
build.gradlefile (usually the one where you define dependencies for your app).
- Add your property in each of your build types.
- If you want to access the key from Java, then add it as a
- If you want to access the key in your XML files (layouts and other resources), then add it as a
After doing so, your
build.gradle might look like this:
3. Using the key in your app’s code
Now you can access the key from your code as described below.
Accessing in Java
It is available as a standard String in your Java/Kotlin (if you use Kotlin, you good sir just became a friend of mine) code. To access it:
Accessing in XML
If you want to use it in XML files (like AdMob keys are needed sometimes in XML), you can access them just like any other string resource (used in the last line):
Now you can safely have a public repository that can reference API keys. You can also have different keys for debug and release (just specify different property names in respective build-types).
Being a good samaritan
Securing your API keys is an essential step and you should always do it, but you also should document how someone is supposed to provide those keys to build the project from a clean checkout from your repository.