I am currently using photoroom’s API for background removal in an iOS application, and proxying all requests through my backend server to keep my API key secure. I would like to reduce latency and initiate the background removal directly from the client, but I am not sure how to go about securing my API key. What are the best practices here? Ideally I could monitor usage per user on my backend and throttle / revoke access for abuse. I would also like to know if photoroom has plans to support app attestation, which I believe could also prevent usage of API keys outside of the particular iOS app to which the key would be registered.
Hi there,
I checked in with our engineering team, and they confirmed that proxying is indeed the best approach with what we currently offer. This ensures your API key stays secure, while also giving you full control to monitor usage, apply per-user limits, and revoke access if needed.
Regarding App Attestation: we don’t currently support this however I am taking this as direct feedback for our team to review.
Speak soon,
Thanks so much. Another interesting idea would be something analogous to AWS S3 presigned URLs - where the backend would call the photoroom API to generate an expiring one-time use URL for the client to initiate the background removal on their device.
That’s a great idea! Thanks for adding this input I will share it internally.