SerpApi Security Basics
Overview
SerpApi uses a single API key for authentication. The key grants full account access -- there are no scoped keys or OAuth. Protect it like a credit card: never expose in frontend code, always proxy through your backend.
Instructions
Step 1: Never Expose API Key in Frontend
// BAD: API key in browser-side code
const result = await fetch(`https://serpapi.com/search.json?q=${query}&api_key=YOUR_KEY`);
// GOOD: Proxy through your backend
// Frontend
const result = await fetch(`/api/search?q=${encodeURIComponent(query)}`);
// Backend (api/search.ts)
export async function GET(req: Request) {
const url = new URL(req.url);
const q = url.searchParams.get('q');
const result = await getJson({
engine: 'google', q,
api_key: process.env.SERPAPI_API_KEY, // Server-side only
});
return Response.json(result.organic_results);
}
Step 2: Secure Storage
# .gitignore
.env
.env.local
# Use platform secret managers in production
gh secret set SERPAPI_API_KEY # GitHub Actions
vercel env add SERPAPI_API_KEY # Vercel
fly secrets set SERPAPI_API_KEY=x # Fly.io
Step 3: Rate Limit Your Proxy
// Prevent abuse of your search proxy endpoint
import rateLimit from 'express-rate-limit';
const searchLimiter = rateLimit({
windowMs: 60_000, // 1 minute
max: 10, // 10 searches per minute per IP
message: 'Too many searches, try again later',
});
app.get('/api/search', searchLimiter, searchHandler);
Step 4: Monitor Usage
# Set up daily usage check
curl -s "https://serpapi.com/account.json?api_key=$SERPAPI_API_KEY" \
| jq '{used: .this_month_usage, remaining: .plan_searches_left}'
# Alert if usage is unexpectedly high
Security Checklist
- [ ] API key in environment variables only
- [ ]
.envin.gitignore - [ ] Backend proxy for all search requests
- [ ] Rate limiting on proxy endpoints
- [ ] Usage monitoring and alerts
- [ ] Separate keys for dev/prod (if available)
Resources
Next Steps
For production deployment, see serpapi-prod-checklist.